On 1/10/02 8:03 AM, "Conor MacNeill" <[EMAIL PROTECTED]> wrote:
> Hi, > > Having read all this stuff about what is Jakarta, what is the PMC's > role, etc reminded me of something which I think should be addressed at > PMC level, if not higher - the policy of signing releases. We have put > something in place at a subproject level for Ant but I think an overall > policy is desirable. > > I had a quick look at the latest release or beta of most project release > directories. As far as I can tell, this is the status: > > Ant, Avalon, Tomcat 3.3 are signed. Taglibs appears to be signed but I > didn't check its vast array of release components. > BCEL, ECS, ORO, Regexp, Velocity and XMLRpc have md5 files but no signatures > All others do not appear to be signed. > > Of the releases that are signed, all use .asc files for the signature > except Avalon-Framework which uses .sig files (although its verify > example uses .asc). > > I think a consistent, Jakarta-wide policy of signing distributions would > be a good thing. > > Currently the subprojects that do sign their releases have their own > KEYS file. Should there be a central Jakarta-wide KEYS file? Apache-wide? > > I can write or draft some text on how to go about signing a > distribution. Perhaps it could be part of a committer "howto" page > dealing with how to put togther a release. I don't mean the subproject > specific stuff but other stuff like where you put releases, adding > README.html, maybe even tagging and branching suggestions. It may even > be good to move the full CVS access info into this area - whatever. > > Let me know your thoughts. > +1 - the write-up would be great. We in velocity land will do it for the next release. -- Geir Magnusson Jr. [EMAIL PROTECTED] System and Software Consulting You're going to end up getting pissed at your software anyway, so you might as well not pay for it. Try Open Source. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
