Not a blocker but I did take a quick look at the dependencies. I
noticed that maven-shared-utils was out of date, but when I tried to
update it, it failed on verification of the PGP signature of
commons-io which was now 2.13.0 instead of 2.11.0. This comes from the
Verify PGP signatures plugin, which I haven't seen before.
Is this a helpful check? I haven't seen it before, and it definitely
adds extra work to updating dependencies. If it makes dependencies
less likely to be kept up to date, that's likely to be a net security
negative. Is there a string reason to check PGP signatures at build
time? And if there is, why are we doing this with a fixed map instead
of looking them up in Maven Central?
On Fri, Sep 29, 2023 at 2:00 AM Hervé Boutemy wrote:
>
> Hi,
>
> We solved 6 issues:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322=12353118=Text
>
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1992/
> https://repository.apache.org/content/repositories/maven-1992/org/apache/maven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-release.zip
>
> Source release checksum(s):
> maven-artifact-plugin-3.5.0-source-release.zip sha512:
> 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1%
>
> Staging site:
> https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/
>
> Guide to testing staged releases:
> https://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open for at least 72 hours.
>
> [ ] +1
> [ ] +0
> [ ] -1
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
--
Elliotte Rusty Harold
elh...@ibiblio.org
-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
