Not a blocker but I did take a quick look at the dependencies. I noticed that maven-shared-utils was out of date, but when I tried to update it, it failed on verification of the PGP signature of commons-io which was now 2.13.0 instead of 2.11.0. This comes from the Verify PGP signatures plugin, which I haven't seen before.
Is this a helpful check? I haven't seen it before, and it definitely adds extra work to updating dependencies. If it makes dependencies less likely to be kept up to date, that's likely to be a net security negative. Is there a string reason to check PGP signatures at build time? And if there is, why are we doing this with a fixed map instead of looking them up in Maven Central? On Fri, Sep 29, 2023 at 2:00 AM Hervé Boutemy <[email protected]> wrote: > > Hi, > > We solved 6 issues: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12324322&version=12353118&styleName=Text > > Staging repo: > https://repository.apache.org/content/repositories/maven-1992/ > https://repository.apache.org/content/repositories/maven-1992/org/apache/maven/plugins/maven-artifact-plugin/3.5.0/maven-artifact-plugin-3.5.0-source-release.zip > > Source release checksum(s): > maven-artifact-plugin-3.5.0-source-release.zip sha512: > 3155f2e3da07752473fe5a2deb5b32f108c2fb1d8cd786718852f18242afad515fafcf55710f03c136fff9f343702e8e0152d53d51f69f6c043ecc397ce818e1% > > Staging site: > https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/ > > Guide to testing staged releases: > https://maven.apache.org/guides/development/guide-testing-releases.html > > Vote open for at least 72 hours. > > [ ] +1 > [ ] +0 > [ ] -1 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
