On 15/10/2009, at 7:00 PM, Marc Lustig wrote:
For companies, this would be a compelling feature! I (working for
insurances
and banks) often hear the argument "of boy - they are downloading
software
from some obscure server from russia". Having the label "Certified
Maven
Repository" would surely make those noises more silent :-)
The ASF could release a rule-set that the Maven-repo must conform to
in
order to get the "certified" label.
This isn't really in the ASF's mission to provide. Everyone is going
to have their own rules for what is certified - there are varying
levels of trust, even if you verify it comes from the project itself
(for example, see Eclipse's IP verification process).
In this case you are better off having a dedicated group of people
approving third party artifacts to arrive into Archiva for use by
others, and limiting proxy access outside. You can obviously do this
manually in Archiva now, though ideally you want a "quarantine" area
where they can be retrieved and await approval with a decent workflow
for moving them into an accessible repository.
- Brett
