incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <>
Subject Re: status of PGP support in Maven
Date Fri, 03 Oct 2008 15:13:08 GMT

On 3-Oct-08, at 10:50 AM, Noel J. Bergman wrote:

> Moved to the thread it belongs in ...
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>>> Emmanuel Lecharny wrote:
>>>> Better a bad decision than no decision, otherwise, soon, nobody  
>>>> will
>>>> vote anymore...
>>> Not really.  Consider that there appears to be a clear consensus
>>> that if Maven were to fix the download situation, requiring that  
>>> users
>>> approve the user of Incubator artifacts, rather than transparently  
>>> use
>>> them,  many of the -1 would be +1.
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
> We don't need for you to implement any "policy" other than the  
> requirement
> for users to approve authorized signing keys.  You simply need to  
> implement
> artifact signing and mandatory authorization, which is why I've  
> moved this
> to the thread Brett started for purposes of discussing signing.

You are not the Incubator PMC, and what the Incubator says they  
require is far from clear. Disclaimers, notices, PGP keys. No one  
knows what anyone wants here. No one can follow these discussions.

There will be no mandatory authorization. That will not be turned on  
by default in the foreseeable future. The tools will exist for people  
to use as they see fit. It is more likely that people using repository  
managers will enable this, but it won't be turned on in the Maven  
client. Oleg, who is responsible for implementing Mercury which has  
full PGP support, has this functionality working on all branches of  
Maven but the option to use it will be in the hands of the user. As  
the quality and tools for supporting PGP get better, and more people  
use them we will again take a look at the default behavior

> Did you not see what just happened to Redhat with respect to  
> Fedora?  They
> take artifact security seriously.  For a long time, it has appeared  
> that
> Maven does not, but I am hopeful now that mandatory authorization will
> appear, so that I and others will not have to increase lobbying  
> efforts to
> have the Maven repository closed, at least with respect to ASF  
> projects.

Lobby away. Close the repository, then what's going to happen? Someone  
checks out all the sources with a CI system, builds everything and  
publishes them, then what are you going to do? Shut down anonymous SVN  
access because people are doing what they can by rights of the  
license? Track them down and tell them not to do it? Tell the Maven  
PMC to intervene to stop people from making submissions via JIRA. Stop  
the repositories that are already syncing Apache artifacts to central  
or hosting their own repositories? How are you going to stop people  
from doing this Noel when its their right? You going to lock down  
everything to the point where no one wants to get involved?

> 	--- Noel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:



Jason van Zyl
Founder,  Apache Maven
jason at sonatype dot com

We know what we are, but know not what we may be.

   -- Shakespeare

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message