-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sean Corfield <seancorfi...@gmail.com> writes:
> Then you can show it with `gpg --export -a $KEY_ID`. > > > $KEY_ID? (again, as I noted at the conj, without good documentation on > the Leiningen site for this, folks won't necessarily know what this is > or why they need to do all of this) Perhaps it would be helpful if you could explain in more detail what it is about the provided explanation that you found confusing? > > If you don't have a key yet, generate one with `gpg --gen-key`. The > > default settings are pretty good, though I'd recommend making it expire > > in a year or two. Next find your key ID. It's the 8-character part after > > the slash on the line beginning with "pub": > > > > $ gpg --list-keys > > > > ↓↓↓↓↓↓↓↓ > > pub 2048R/77E77DDC 2011-07-17 [expires: 2014-07-16] > > uid Phil Hagelberg <technoma...@gmail.com> > > sub 2048R/39EFEE7D 2011-07-17 > So if the status quo persists and Mac and Windows users don't bother > to install gpg, the Clojars process will stay exactly as it is? In > other words, we can simply ignore the whole gpg issue and continue > with things just as we do today and it won't break? Will users of > Clojars projects be required to install and use gpg? If you turn off :sign-releases inside your :repositories entry when deploying libraries everything will work for you as before. But your libraries won't qualify for the Releases repo in this case. So once your users upgrade to Leiningen 2.0.0 they will have to include a separate :repositories entry for the classic repo to indicate that they are OK with pulling in dependencies that don't meet the higher standards of the new repo. > (I'm not arguing against encryption or signing - just trying to a) > point out that I think the vast majority of Clojure library developers > probably don't have gpg installed and b) establish what is _required_ > vs _optional_ and figure out what your plans are regarding existing > Clojars projects and users) Indeed, the root problem is this notion that you can be a professional software developer and remain ignorant of how public-key crypto works. So collecting improved documentation and educational resources is going to need to be a priority. I'll do what I can to put together good general resources but will need help covering systems like Windows and OS X that make things more difficult. But I should emphasize that signing is only necessary for library authors, and verifying the signatures will always be optional. - -Phil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQqnGSAAoJEK9We5d3533cMtEH/jJYEjkhymnB2sz6eWP5C5Wy k5E6SXXSoOOyPPMYHZPsW9DedHRFpNi7bhZ8zYXlioKrRuKPEgUjjbM/oj9FB4oo akJrf1cbR/rG9AoQn2aYiZAVVFQyWPCbieqdZRYyf6toxVAaDi3OJ3iDRX89NZvf FPo/LbruJq32MJWNXo4PqZ9dq01K0Cs2ljCt9WLgzf/niKrwSi8tFC43NVH4k26t fjH7UxHq6k8xs5tFpyXl4xZkc5rzoa85sRJE799R4+NA7IKoSseGSCrT6g0Ev6oy IO0q4bz9Rc8Je9JZ5IV7Jpd4+kLp67cTCuXXnsqlIG9srkrDH4Q1VLH0Fp8JWpA= =Ma81 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
