incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <>
Subject RE: enforced signing of artifacts, [was maven repository]
Date Mon, 02 Jun 2008 22:16:20 GMT
William A. Rowe, Jr. wrote:

> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust.  This is what gpg is
> good at.

First get the code built into Maven for actually checking the signatures and we're golden,
with multiple options.

> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months).  But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.

I've been wondering when you'd come back to life, but you may have been waiting for me.  I
actually had time the past week.

	--- Noel

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message