Just a quick note.
We could sign jars but what about tar and zip ?
The jar could be safe but some could still add
malign code to wrapper scripts (.sh/.bat).
A feature to think of in gump. Automatic rebuild
signature against a known PGP key
When I release a rpm, I rebuild from source
and sus any the binary jars will loose signature.
Fortunatly I allways sign my RPM and the resulting
binary could be checked against my public key.
What about adding the commiters PGP key to the list
of keys on Apache site ?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
