>Do you think the ASF should sign jar files?
Wby not just use the standard ASF (PGP and md5 signatures)
exemple :
apache_1.3.19.tar.gz
apache_1.3.19.tar.gz.asc
apache_1.3.19.tar.gz.md5
>If the ASF signs jar's, a host of other questions are raised.
>
>Should all jar files be signed, even for nightly builds? Or just
>for major releases, betas, milestones, etc.
If we want to sign jar (standard or via jar), please only stable
distrib, ie releases, may be beta and milestone.
When will a user check a signature on a tool ?
When he intend to use that tool in real world, ie production.
If a tool is obsoloted in one or two weeks, it's life it just
too short to be usefull in long term.
>Would only one key be used for all of ASF, or multiple keys.
ASF as allready http://www.apache.org/dist/KEYS :
We could add release managers and commiters PGP keys to
this list (I for RPM, ....)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
