Hi, Having read all this stuff about what is Jakarta, what is the PMC's role, etc reminded me of something which I think should be addressed at PMC level, if not higher - the policy of signing releases. We have put something in place at a subproject level for Ant but I think an overall policy is desirable.
I had a quick look at the latest release or beta of most project release directories. As far as I can tell, this is the status: Ant, Avalon, Tomcat 3.3 are signed. Taglibs appears to be signed but I didn't check its vast array of release components. BCEL, ECS, ORO, Regexp, Velocity and XMLRpc have md5 files but no signatures All others do not appear to be signed. Of the releases that are signed, all use .asc files for the signature except Avalon-Framework which uses .sig files (although its verify example uses .asc). I think a consistent, Jakarta-wide policy of signing distributions would be a good thing. Currently the subprojects that do sign their releases have their own KEYS file. Should there be a central Jakarta-wide KEYS file? Apache-wide? I can write or draft some text on how to go about signing a distribution. Perhaps it could be part of a committer "howto" page dealing with how to put togther a release. I don't mean the subproject specific stuff but other stuff like where you put releases, adding README.html, maybe even tagging and branching suggestions. It may even be good to move the full CVS access info into this area - whatever. Let me know your thoughts. Conor -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
