Hi, We sign distributions (but not individual jars) for nearly every Apache project I work on. But when we sign these distributions, we do so with the release manager's public key. There's no general Apache public key for all of us to use that I'm aware of. Nor am I sure there should be one, really, but I'm not an expert on this.
Signing individual jars is an interesting proposition. It needs to be automated, as for a release like tomcat's we're talking about dozens of jars. Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: Paul Libbrecht [mailto:[EMAIL PROTECTED] >Sent: Monday, May 17, 2004 10:33 AM >To: Jakarta Commons Developers List >Subject: Re: [general] MANIFEST files... > > >A kind of related point, but much more delicate, is the signing of jars. > >For several purposes, in particular for all the security-intrusion type >of things like Java-Web-Start-full-priviledges, it would be nice to >have signed jars. And it would be much more meaningful that such signed >jars are signed with a certificate of the Apache foundation... > >To me, release jars parts of binary distributions could enjoy this >priviledge, which might be only available to key holders, of course. > >Also, a signed jar signed by the Apache foundation would mean a kind of >unalterable quality label, something which would go away with all these >people that mix and match packages endlessly (thereby loosing track of >origins and so on). > >What do you think ? > >paul > > >On 17-May-04, at 14:43 Uhr, Shapira, Yoav wrote: > >> >> Hi, >> Yeah, Ant is good at generating manifests. The decision to use or not >> use (and then remove) manifest files should be up to each component's >> developers. I think we should encourage their use to assist in >> dependency resolution. >> >> Yoav Shapira >> Millennium Research Informatics >> >> >>> -----Original Message----- >>> From: Emmanuel Bourg [mailto:[EMAIL PROTECTED] >>> Sent: Monday, May 17, 2004 4:58 AM >>> To: Jakarta Commons Developers List >>> Subject: Re: [general] MANIFEST files... >>> >>> Actually even Ant is able to generate a custom manifest file, the file >>> in src/conf could be easily replaced. >>> >>> http://ant.apache.org/manual/CoreTasks/jar.html >>> >>> Emmanuel Bourg >>> >>> >>> Stephen Colebourne wrote: >>> >>>> I have no plans to use maven for releasing [collections], so such a >>> sweeping >>>> plan would be dubious! >>>> >>>> Stephen >>>> >>>> ----- Original Message ----- >>>> From: "Henri Yandell" <[EMAIL PROTECTED]> >>>> >>>>> Each jakarta-commons module has a src/conf/MANIFEST.MF. Apart from >> older >>>>> [and I think no longer active] build.xml files, I don't really see >>>>> anything using these. >>>>> >>>>> Are they dead? Can we kill them? >>>>> >>>>> Maven is automatically generating manifests for us for most releases >> I >>>>> think. >>>>> >>>>> Hen >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> This e-mail, including any attachments, is a confidential business >> communication, and may contain information that is confidential, >> proprietary and/or privileged. This e-mail is intended only for the >> individual(s) to whom it is addressed, and may not be saved, copied, >> printed, disclosed or used by anyone else. If you are not the(an) >> intended recipient, please immediately delete this e-mail from your >> computer system and notify the sender. Thank you. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
