incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject re: status of PGP support in Maven
Date Fri, 03 Oct 2008 14:50:35 GMT
Moved to the thread it belongs in ...

Jason van Zyl wrote:
> Noel J. Bergman wrote:
> > Emmanuel Lecharny wrote:
>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>> vote anymore...
>> Not really.  Consider that there appears to be a clear consensus
>> that if Maven were to fix the download situation, requiring that users
>> approve the user of Incubator artifacts, rather than transparently use
>> them,  many of the -1 would be +1.

> That's unlikely to happen. We're not going to be implementing policy
> enforcement for you.

We don't need for you to implement any "policy" other than the requirement
for users to approve authorized signing keys.  You simply need to implement
artifact signing and mandatory authorization, which is why I've moved this
to the thread Brett started for purposes of discussing signing.

Did you not see what just happened to Redhat with respect to Fedora?  They
take artifact security seriously.  For a long time, it has appeared that
Maven does not, but I am hopeful now that mandatory authorization will
appear, so that I and others will not have to increase lobbying efforts to
have the Maven repository closed, at least with respect to ASF projects.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message