On Tue, Jan 5, 2010 at 12:18 PM, Musachy Barroso <musa...@gmail.com> wrote: > you can download the files from the repo and sign it/generate > checksums..but!..this happened before and there was a long discussion > over if it was right or not and so on.
Do not do this. If you download the files, you have no way of knowing if they are the same ones you put there. They could have been corrupted, deliberately or otherwise, in the interim, and without signatures you cannot verify what you have (which is why we want the signatures in the first place). When you then sign those downloaded files, you could be signing anything. Think of it as signing a blank check and then giving that check to a stranger. Not something you want to be doing. -- Martin Cooper > You can either: > > 1. sign the files/generate checksums locally and upload them > 2. do the release again > > I'd say #1, considering how few people we have to test a new release, > and it takes a while to test (yeah I went and generated a project one > by one and ran it in jetty) > > musachy > > On Tue, Jan 5, 2010 at 12:06 PM, Lukasz Lenart > <lukasz.len...@googlemail.com> wrote: >> 2010/1/5 Wendy Smoak <wsm...@gmail.com>: >>> I just re-checked and there are still no .asc signature files in the >>> staging repo, so this cannot be released as-is. >> >> I found the problem - .asc files were only generated for >> struts2-archetype-plugin and struts2-archetype-starter. The reset is >> missing below entry in pom.xml - I have no idea how it was before >> released :D >> >> Nevertheless, is it possible to generate only .asc files? >> >> <profiles> >> <profile> >> <id>release</id> >> <build> >> <plugins> >> <plugin> >> <groupId>org.apache.maven.plugins</groupId> >> <artifactId>maven-gpg-plugin</artifactId> >> <executions> >> <execution> >> <id>sign-artifacts</id> >> <phase>verify</phase> >> <goals> >> <goal>sign</goal> >> </goals> >> </execution> >> </executions> >> </plugin> >> </plugins> >> </build> >> </profile> >> </profiles> >> >> >> >> Regards >> -- >> Lukasz >> http://www.lenart.org.pl/ >> http://javarsovia.pl >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
