Rahul Akolkar wrote:
On 8/16/06, Dennis Lundberg <[EMAIL PROTECTED]> wrote:
Rahul Akolkar wrote:
<snip/>
>
> AFAIK, nothing should go into any of the Apache Maven repos unless its
> summed and signed. Commons has no particular privilege here, in fact,
> we should ensure that all artifacts are accompanied by appropriate
> metadata (I don't mean metadata.xml in the m2 sense). There are
> existing sums and sigs on some POMs atleast. It appears that even if
> its just a relocation section, it needs a resum and resign. If the
> consensus is that this adds an overhead for too many people, and is
> hence optional, thats another thing.
Checksums (md5 and/or sha1) yes, definitely. Signing, hmm well I'm not
sure. I haven't cut a release yet, so other will need to fill me in on
the current policy for signing or not signing poms. If this is
documented somewhere at Apache, please let me know, so that I can add a
link in the relocation guide.
<snap/>
From the Apache wide release signing policy [1] (I understand the
document is still in the works):
<quote>
Every artifact distributed by the Apache Software Foundation should
and every new one must be accompanied by one file containing an
OpenPGP compatible ASCII armored detached signature and another file
containing an MD5 checksum.
</quote>
And, Henk will complain [2] if we miss sigs.
-Rahul
[1] http://www.apache.org/dev/release-signing.html#policy
[2] http://people.apache.org/~henkp/checker/sig.html
Thanks for those pointers Rahul. I'll be sure to add, at least the first
one to the guide.
I had a look at the Apache Maven 1 repo at
http://people.apache.org/repo/m1-ibiblio-rsync-repository/
There doesn't seem to be any consistency when looking at different
components. I had a look at a few:
configuration:
- older jars have md5
- newer jars have md5 and asc
- older poms have no md5 or asc
- newer poms have md5
lang:
- jars have md5
- poms have md5
logging:
- older jars have md5
- newer jars have md5 and asc
- older poms have md5
- newer poms have md5 and asc
How do we handle this? If the previous pom is signed then the relocated
one should also be signed, is one way to go.
And a more philosophical question: is a pom an artifact?
Henk's page does not seem to look at the Maven repos at all, only in /dist/
--
Dennis Lundberg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
