Henning Schmiedehausen wrote:
> There is a pretty nice proposal on
> http://people.apache.org/~henkp/trust/, however this will again take a
> piece of "freedom of doing software at Apache" away and introduce some
> administrative overhead that all projects must implement and manage.
But, as you say, it is worth doing something, whether exactly that or not,
because
> Formalizing the signing of our releases would be a huge step towards a
> reliable validation for the Apache software releases.
> It still does not help you with third-party releases, though.
Is it our problem if you mean a third party, e.g., IBM, releasing our code
as part of their own commercial product?
> IMHO: Anyone who is using maven for commercial software development and
> does not run a controlled, in-house repository that is actively managed
> and maintained is IMHO in for big, ugly surprises in the long run.
+1 Unfortunately, I believe that you'd be taking about a "high 9s"
percentage of the population of Maven users who do NOT follow that rule.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
