On Wed, 4 Sep 2019 at 13:59, Vladimir Sitnikov <[email protected]> wrote: > > sebb>Can you provide some examples? > > 1) META files are often missing. > For instance: https://www.apache.org/dist/commons/ , > https://www.apache.org/dist/httpcomponents/ , > https://www.apache.org/dist/logging/ , https://www.apache.org/dist/tika/ , > https://www.apache.org/dist/xalan/ , https://www.apache.org/dist/xerces/, > https://www.apache.org/dist/groovy/, https://www.apache.org/dist/geronimo/ and > so on. > > 2) META files do not describe "who signs Nexus artifacts". In other words, > it would be nice if META files could specify that "official JMeter jars > should be signed by ..." > Current file https://www.apache.org/dist/jmeter/META lists just "binaries/" > and "sources/", and there's no room for "who signs org.apache.jmeter Maven > artifacts".
So it's not actually a problem with KEYS files. AIUI META files were introduced to the ASF fairly recently, and there has been almost no promotion of their use. I think they were set up by Henk Penning, who has sadly since passed. If you wish to help progress them, I suggest you contact [email protected] and/or raise an INFRA JIRA. AFAICT the ASF META files won't help with checking 3rd party dependencies. > I do understand that "Maven jars" are convenience-only, however it is > really sad we use 30 or so different Apache dependencies via Maven jars, > and we don't really know which PGP keys should we trust. In which case, I suggest you contact ASF Infra as noted above. > Vladimir
