incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: status of PGP support in Maven
Date Fri, 03 Oct 2008 15:05:45 GMT
Brett Porter wrote:

> Currently, it has checking turned on by default, but that isn't going to
> a reasonable setting for some releases to come until the signatures in the
> repository are cleaned up.

Why not enforce checking, but provide the ability for users to manually
approve unsigned artifacts?  Once you cache the downloaded artifact, you
should not have to approve from cache.

> For the releases to be identified as from the incubator, they'll need to
> signed solely by "the incubator". Did you want to elaborate on how you
> anticipated that set up working?

There are a variety of options, as have been discussed in this thread.  An
obvious, and overly simple, solution is a designated signing key for the
Incubator PMC, and we maintain strict control over the private key.  Just
having a naive WoT is insufficient, since while I might be authorized to
release for JAMES or the Incubator, I am not authorized to release for

But Henning, Dw, Ben (Laurie), Justin and others have experience in this
area, and the details should probably be discussed on infrastructure-dev.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message