William A. Rowe, Jr. wrote:
> Why is it not equally possible to validate against a short list of keys
> (e.g. infra PMC members) and their immediate trust. This is what gpg is
> good at.
First get the code built into Maven for actually checking the signatures and
we're golden, with multiple options.
> As far as signing jars, microsoft authenticode etc, Noel and I planned to
> create such a service (although we've both been really busy in the past few
> months). But it will always require that the artifacts are already signed
> by someone in the ASF's web-of-trust via pgp.
I've been wondering when you'd come back to life, but you may have been waiting
for me. I actually had time the past week.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
