Hi, What do you think of https://github.com/apache/jmeter/pull/488 ?
It enables to use PGP for artifact verification, so it would simplify dependency updates without loosing too much. For instance, recent Jackson and Apache Tika updates could have been served by <trusted-key id='c9fbaa83a8753994' group='com.fasterxml.jackson.core' /> and <trusted-key id='4a51a45b944ffd51' group='org.apache.tika' /> Vladimir
