On 22/07/2008, at 11:54 PM, Chad La Joie wrote:
Yeah, the code is a bit spread out at the moment. ;) Thanks for
the links though, that helped me find the rest of what I needed.
Looking at the code I have one question. Is the assumption that a
devloper would specifiy the signature-validating key, which will
need to be in their keyring, for each artifact?
At the moment, there is a separate keyring in the Maven installation
(configurable by settings) that you can add and remove keys from, but
any valid signature signed by those keys will be accepted. Getting
access to the right keys easily and safely will be an important part
of making this successful.
I've outlined the initial steps in http://docs.codehaus.org/display/MAVEN/Repository+Security
, and there are some additional thoughts for later towards the end of
the doc.
Cheers,
Brett
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
