sebb>Can you provide some examples? 1) META files are often missing. For instance: https://www.apache.org/dist/commons/ , https://www.apache.org/dist/httpcomponents/ , https://www.apache.org/dist/logging/ , https://www.apache.org/dist/tika/ , https://www.apache.org/dist/xalan/ , https://www.apache.org/dist/xerces/, https://www.apache.org/dist/groovy/, https://www.apache.org/dist/geronimo/ and so on.
2) META files do not describe "who signs Nexus artifacts". In other words, it would be nice if META files could specify that "official JMeter jars should be signed by ..." Current file https://www.apache.org/dist/jmeter/META lists just "binaries/" and "sources/", and there's no room for "who signs org.apache.jmeter Maven artifacts". I do understand that "Maven jars" are convenience-only, however it is really sad we use 30 or so different Apache dependencies via Maven jars, and we don't really know which PGP keys should we trust. Vladimir
