Ben Alex wrote: > Luke Taylor wrote: > >> There was also some guy in the forum complaining about the fact that the >> jar wasn't signed. We should probably formalize the use of PGP keys, add >> them to the website and arrange to do some key signing when possible. >> The readme file also needs to be changed. >> > > I have a PGP key these days (ID 0x9BBCD24D) and know that both Luke and > Carlos do, so it's pretty easy to go with ZIP-level signing - plus > there's a lot of precedence for this approach courtesy of Apache. Do > people feel we should continue to sign the JAR using keytool, though, as > well? Does anyone actually rely upon JAR signing? Carlos, has Maven got > any smarts in terms of automatic verification of JARs downloaded from > repositories against the public keys in the repository or similar? I > don't see a lot of value in maintaining two signing approaches, as it > would make life harder for someone else to perform releases. In any > event, I'm a little tired of annually renewing keytool certificates when > PGP keys can be configured to never expire (yet still provide a > revocation approach). > The only advantage of signing the JAR with keytool instead of PGP that I can see is that it makes Acegi easier to use in an Applet.
John ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
