incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <>
Subject RE: status of PGP support in Maven
Date Mon, 06 Oct 2008 02:45:07 GMT
On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote:
> We don't have to.  We can simply mandate that every ASF project sign their
> artifacts and charge the Maven PMC with enforcing it.

No. The Maven PMC is charged with developing software for the Apache
Maven project. If we really want to put a distribution policy in place
and enforce it, I can see us creating a repository PMC which does this
(and talk to Maven about the features that they would like to see or
(gasp!) implement them and contribute them back to Maven. I would see
such a PMC as part of or collaborating with Infrastructure. 

Maven is a piece of software, not a distribution mechanism. They just
happen to build it because no one else did.

> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years.  Yes, it may be a

Please stop it, Noel. This is not constructive. 


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message