incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 22:09:11 GMT
Robert Burrell Donkin wrote:

> my conclusion was that meta-data signed by [keys in the] WoT would be good

> there's no need to distribute a master key


> key management is tricky

Not that tricky.  Let's not make as if this isn't done routinely elsewhere.

> this is where the complexity lies. IIRC it was quite tough to come up
> with a user friendly trust model that worked correctly.

Not so much, seeing as how you just agreed with CLR:

> For example, "trust all unsigned", "trust all signed", "trust all signed
> Apache WOT" might be reasonable policies declared by the user.

> we don't actually require that the artifacts are signed: just
> meta-data about the artifacts

What do you think a signature is in the first place?  It is a digitally
encrypted hash, i.e., meta-data.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message