incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gilles Scokart" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Tue, 03 Jun 2008 10:41:25 GMT
I thought this thread started with the idea : if maven would be able
to validate signature, we could use this feature to inform someone
that he is using incubator artefacts.
I thought the idea that launched this thread was to have a unique key
for the incubator that the user has as to trust if he want to use
incubator artefacts.

My question was in that context.

2008/6/2 Noel J. Bergman <>:
> Gilles Scokart wrote:
>> Noel J. Bergman:
>> > Implement that, and we're fine.  We will
>> > require Incubator artifacts to be signed by a designated key available
> to
>> > the PMC, and once a user has acknowledged that they accept such
> Incubator
>> > signed artifacts, maven can do what it wants with them.
>>        --- Noel
>> Is that really possible?
> Very.
>> I remember some discussion on the infra list about an ASF wide signature.
>> And the conclusion was always the same: how to secure a key that can be
>> used by so many people.  If I remember well, some solution were proposed,
>> but they were quiet heavy.  Do we have a solution for that?
> There are various things that can be done with respect to key management.
> Personally, I would not go with a single key.  But maven ought to maintain a
> trust file, with options to accept files that are signed with a trusted key,
> or signed by a key that is signed by a trusted key, etc.  The first thing
> that has to happen is for the Maven PMC to make security a priority.
>        --- Noel

Gilles Scokart

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message