Am 09/27/16 um 15:24 schrieb Stephen Connolly: > I think that may be problematic... but probably not the worst thing to add > to the schema (would just be an extra attribute)
Something you can use to identify the entity having produced an artifact and useable to verify an artifact has not been modified as it has been provided by that entity. Like a common name in a certificate. This decouples things from location (repositories). There always needs to be an entity claiming responsibility of an artifact/group of artifacts. We have GPG signatures and jarsinger already. We maybe should decouple artifacts from technologies like these and make that attributes (maybe just one attribute: a common name like in a X.509 certificate) a property of a projects' dependency trees file. So maybe those project dependency trees files need to somehow hold some information about who is to be claimed responsible for the trees. XMLDsig comes to mind. <https://www.w3.org/TR/xmldsig-core/> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
