[
https://issues.apache.org/jira/browse/LUCENE-3882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13232655#comment-13232655
]
Steven Rowe commented on LUCENE-3882:
-------------------------------------
Robert, I think it's not necessary/useful to sign these files.
In Maven Central, many projects don't have signatures for this file, e.g.
http://search.maven.org/#browse|1946773355 ({{org.apache.apache}}, the Apache
parent POM.
I think the issue is that when Maven artifacts are uploaded, for each artifact,
entries from the maven-metadata.xml file's contents are merged with the
existing version of that file. As a result, the signature will no longer apply.
Maven-core is an example of a project where they used to sign this file, then
stopped doing it, but left the signature in the repo:
[http://search.maven.org/#browse|-1493030540]. Note that the
{{maven-metadata.xml.asc}} file is dated 2006.
> maven-metadata.xml's are only hashed but not signed
> ---------------------------------------------------
>
> Key: LUCENE-3882
> URL: https://issues.apache.org/jira/browse/LUCENE-3882
> Project: Lucene - Java
> Issue Type: Bug
> Components: general/build
> Reporter: Robert Muir
> Fix For: 3.6, 4.0
>
> Attachments: LUCENE-3882.patch
>
>
> we only produce .sha/.md5 for these files, but not .asc
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
