On Sat, May 31, 2008 at 9:05 AM, James Carman <[EMAIL PROTECTED]> wrote: > On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin > <[EMAIL PROTECTED]> wrote: > >> IMO this isn't really a maven issue: basic checks should be performed >> on all releases. i favour a private subversion repository with custom >> hooks for release publishing. > > I think it very much is a maven issue. Maven is the tool that > automatically downloads jar files from the public repository > automagically (I love that by the way). If there were a setting in > maven that I could set that says "don't add anything to my local maven > repository that isn't signed by someone that I trust", then I think we > would be good here. I don't know if I'd make it a required feature, > though. I think making it optional would be okay. Maven should also > ask you if you want to trust a signer if it hasn't seen it before > (kind of like how webstart does). Perhaps it could be a three-choice > setting: > > 1. Allow any jars from the central repository. > 2. Ask me before allowing jars from someone I haven't specifically > trusted before. > 3. Don't allow any jars signed by people I do not trust. > > This, of course, would mean that we should probably set up a release > signing committee so that we only use one signing key from the ASF > (users shouldn't have to say that they trust jars signed by me, and > Robert, and Brett, and Noel). The members of the committee would be > the only ones with write access to the maven rsync directory. The > requests could be set up in JIRA or something (hopefully there would > be a committee member on each PMC).
I guess we would probably want to set up a signing key for each PMC. Since saying that I approve of using releases from one podling doesn't necessarily mean I approve of using releases from another podling. For example, I may trust JSecurity if I am a long-time user of it, but I don't trust Imperius, because I don't know what the heck it is. Once a podling graduates, would we need to generate a new signing key for it (without the "incubating")? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
