I think this thread belongs on the Maven lists as it's is only tangential to the decision about the incubator repository.
The process for getting new features included is to write a proposal and put it on the wiki [1] and then email the dev list to begin a discussion. There are some good ideas here but they need to be flushed out by the Maven community as a whole. [1] https://docs.codehaus.org/display/MAVENUSER/User+Proposals -----Original Message----- From: Robert Burrell Donkin [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2008 2:40 PM To: [email protected] Subject: Re: enforced signing of artifacts, [was maven repository] On Sat, May 31, 2008 at 8:11 PM, Craig L Russell <[EMAIL PROTECTED]> wrote: > > On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote: > >> On Sat, May 31, 2008 at 3:42 AM, Brett Porter <[EMAIL PROTECTED]> >> wrote: >>> >>> 2008/5/31 Brian E. Fox <[EMAIL PROTECTED]>: >>>> >>>> Can you elaborate more on what you mean here? I've been on the Maven PMC >>>> for over a year now and this is the first I've heard of it. >>>> >>>> We do support signing of artifacts and all the maven releases are >>>> signed. We obviously don't control all the other Apache projects in a >>>> way to enforce that they sign their artifacts. >>> >>> Noel is referring to enforcing checking signatures, not signing them. >>> I've had a proposal out there for some time which anyone is free to >>> comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security >>> >>> There hasn't been a lot of traction behind it so far. Ease of use, >>> especially OOTB, is probably one of the main concerns. >> >> IMO this isn't really a maven issue: basic checks should be performed >> on all releases. i favour a private subversion repository with custom >> hooks for release publishing. > > I think that maven basically changes the equation, since it is responsible > for automatically downloading artifacts, and this feature is a huge > usability win. I think that currently, usability trumps security. > > Since maven automatically downloads artifacts, it's technically feasible for > maven to verify the signatures of those artifacts and allow for control by > the user over whether or not to trust the artifacts. > > For example, "trust all unsigned", "trust all signed", "trust all signed in > Apache WOT" might be reasonable policies declared by the user. +1 - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
