On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin <[EMAIL PROTECTED]> wrote:
> IMO this isn't really a maven issue: basic checks should be performed > on all releases. i favour a private subversion repository with custom > hooks for release publishing. I think it very much is a maven issue. Maven is the tool that automatically downloads jar files from the public repository automagically (I love that by the way). If there were a setting in maven that I could set that says "don't add anything to my local maven repository that isn't signed by someone that I trust", then I think we would be good here. I don't know if I'd make it a required feature, though. I think making it optional would be okay. Maven should also ask you if you want to trust a signer if it hasn't seen it before (kind of like how webstart does). Perhaps it could be a three-choice setting: 1. Allow any jars from the central repository. 2. Ask me before allowing jars from someone I haven't specifically trusted before. 3. Don't allow any jars signed by people I do not trust. This, of course, would mean that we should probably set up a release signing committee so that we only use one signing key from the ASF (users shouldn't have to say that they trust jars signed by me, and Robert, and Brett, and Noel). The members of the committee would be the only ones with write access to the maven rsync directory. The requests could be set up in JIRA or something (hopefully there would be a committee member on each PMC). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]