On Mon, Jan 11, 2016 at 7:25 PM, Nitin Lamba <[email protected]> wrote:
> Yes, this version is still M1.
>
> This is for public key server, not the artifacts per se.
It is actually for both. A public key server is just a short-hand
for somebody to retrieve your keys, however, a PMC managed
keyfile has to be stored in the same SVN that manages our
releases. I'll reply in a different thread describing what needs
to be done once you're ready to submit your RC for a vote.
> My interpretation is that all release artifacts need to be signed
> irrespective of maven 'publication'. If an 'M1' will go through
> approvals/ votes, doesn't it need a signature?
This is a correct assumption, however, automation like Maven
release plugin helps with the PGP signing as well. I find this
type of automation extremely useful and I would really encourage
you guys to find a reasonable substitute for Gradle. I'm sure one
exists by now as this thread seems to hint at:
https://discuss.gradle.org/t/what-is-the-equivalent-to-the-maven-release-plugin-in-gradle/6827/6
Thanks,
Roman.
