incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <>
Subject RE: status of PGP support in Maven
Date Sat, 04 Oct 2008 00:01:32 GMT
On Fri, 2008-10-03 at 11:20 -0400, Noel J. Bergman wrote:
> Henning Schmiedehausen wrote:
> > There is a pretty nice proposal on
> >, however this will again take a
> > piece of "freedom of doing software at Apache" away and introduce some
> > administrative overhead that all projects must implement and manage.
> But, as you say, it is worth doing something, whether exactly that or not,
> because
> > Formalizing the signing of our releases would be a huge step towards a
> > reliable validation for the Apache software releases.
> > It still does not help you with third-party releases, though.
> Is it our problem if you mean a third party, e.g., IBM, releasing our code
> as part of their own commercial product?

Actually I meant verifying/validating the third party dependencies that
Apache projects *use*. So even if we go through all the pains of making
sure that our users really get "apache-baz-1.0", it might just pull in
"some-random-dependency-from-sourceforge-1.0" which can not be


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message