incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: status of PGP support in Maven
Date Wed, 24 Sep 2008 06:20:49 GMT
Henning Schmiedehausen wrote:
> So you assume that that can not be hacked? What if a
> signing key *IS* in KEYS but not signed by anyone (because the developer
> has never attended an Apache key signing event)?

No, I answered your question.

W.r.t.{tlp}/KEYS, we have a serious issue to address,
because it's not https: accessible so cannot be trusted.  Yes, it's quite
possible to fetch{tlp}/{code}/trunk/KEYS
but that's not what we suggest, and suboptimal to boot.

The bigger problem is that you appear to be arguing against solving the
problem rather than offering solutions, and I recall some have suggested
that this thread should die already.  Maybe time to take this to maven
where it belongs?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message