incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian E. Fox" <>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 19:31:54 GMT
I think this thread belongs on the Maven lists as it's is only
tangential to the decision about the incubator repository. 

The process for getting new features included is to write a proposal and
put it on the wiki [1] and then email the dev list to begin a
discussion. There are some good ideas here but they need to be flushed
out by the Maven community as a whole.


-----Original Message-----
From: Robert Burrell Donkin [] 
Sent: Monday, June 02, 2008 2:40 PM
Subject: Re: enforced signing of artifacts, [was maven repository]

On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <>
> On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
>> On Sat, May 31, 2008 at 3:42 AM, Brett Porter
>> wrote:
>>> 2008/5/31 Brian E. Fox <>:
>>>> Can you elaborate more on what you mean here? I've been on the
Maven PMC
>>>> for over a year now and this is the first I've heard of it.
>>>> We do support signing of artifacts and all the maven releases are
>>>> signed. We obviously don't control all the other Apache projects in
>>>> way to enforce that they sign their artifacts.
>>> Noel is referring to enforcing checking signatures, not signing
>>> I've had a proposal out there for some time which anyone is free to
>>> comment on:
>>> There hasn't been a lot of traction behind it so far. Ease of use,
>>> especially OOTB, is probably one of the main concerns.
>> IMO this isn't really a maven issue: basic checks should be performed
>> on all releases. i favour a private subversion repository with custom
>> hooks for release publishing.
> I think that maven basically changes the equation, since it is
> for automatically downloading artifacts, and this feature is a huge
> usability win. I think that currently, usability trumps security.
> Since maven automatically downloads artifacts, it's technically
feasible for
> maven to verify the signatures of those artifacts and allow for
control by
> the user over whether or not to trust the artifacts.
> For example, "trust all unsigned", "trust all signed", "trust all
signed in
> Apache WOT" might be reasonable policies declared by the user.


- robert

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message