incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <>
Subject Re: status of PGP support in Maven
Date Fri, 19 Sep 2008 13:12:30 GMT
How about we include the signatures in the source distros?  That way
if you trust your source, then you can trust the dependencies it

On Thu, Sep 18, 2008 at 12:22 PM, Craig L Russell <> wrote:
> On Sep 17, 2008, at 5:32 PM, Henning Schmiedehausen wrote:
>> The only way around that I can see right away in a heavily mirrored
>> system, is to pull the signatures (and probably even the checksums) from
>> central all the time. Which represents a single point of failure and a
>> non-scaling element.
> I do understand the single point of failure, which means that if Apache
> central happens to be down, users cannot get to the signatures.
> But I don't see the scaling problem. I understand that to download an
> artifact that's more than 200 bytes, you really need mirrors to relieve the
> burden on Apache central. But I'd guess that our central server could handle
> a few hundred (thousand?) xxx.asc file downloads per minute, far in excess
> of the load.
> To me, the only place to store .asc files for all artifacts is in central.
> Not maven central, and not mirrors.
> Craig
> Craig L Russell
> Architect, Sun Java Enterprise System
> 408 276-5638
> P.S. A good JDO? O, Gasp!



Open Source SOA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message