Jody, what I mean was not how to create and use GPG keys, but how we manage keys. For example, do we rely on a web of trust with each developer having their own signing key or do we have an official GeoTools key, such as that used by Linux distributions (Fedora ...)? I guess the individual web-of-trust is the only practical solution for a decentralised community.
Also, should the scm entries point to the GeoTools poms used to build the packages, or should they in the case of packaging third-party schemas point to the originating third-party scm? Thirdly, if I am packaging third-party schemas, do you think it is appropriate that I use the third-party groupId or org.geotools? If we are going to maven central I want to very careful to get it just right. Kind regards, Ben. On 29/07/10 17:13, Jody Garnett wrote: > The earlier link documented the process for a GPG key. > - For more information, please refer to How To Generate PGP Signatures With > Maven<https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven>. > Some folks have asked why do we require all this information in the POM for > deployed artifacts so here's a small explanation. The POM being deployed with > the artifact is part of the process to make transitive dependencies a reality > in Maven. The logic for getting transitive dependencies working is really not > that hard, the problem is getting the data. The other applications that are > made possible by having all the POMs available for artifacts are vast, so by > placing them into the repository as part of the process we open up the doors > to new ideas that involve unified access to project POMs. > > The link above is to: > (https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven) > > Even if we fix download.osgeo.org<http://download.osgeo.org> it is not a > great long term solution. I feel like we are a burden on what was intended as > a download service. Getting are artefacts into maven central; and then > distributed to the mirrors provides a much better service to our users. > > > Jody > > On 29/07/2010, at 5:56 PM, Ben Caradoc-Davies wrote: > > On 29/07/10 15:05, Jody Garnett wrote: > **<licenses> > **<scm><url> > **<scm><connection> > **<developers> > ** If the project packaging is jar, and the jar file contains java classes, > there must be a -javadoc.jar for main artifact. > ** If the project packaging is jar, there must be a -sources.jar for main > artifact. > ** All project artifacts are signed using GPG, > > I have a bunch of artifacts that are jars of GML application schemas used for > GeoTools and GeoServer testing. Maven is the ideal way of distributing these > so we can use them for offline testing. (app-schema-resolver enables schema > resolution in these artifacts on the classpath.) None of them have sources or > javadoc. I am just the packager, not the developer. Don't even get me started > on the licensing or scm arrangements (these schemas are developed by > international information standards communities that appear to have avoided > addressing licensing issues). > > Also, how do we manage GPG signing keys? > > Any chance of fixing download.osgeo.org<http://download.osgeo.org>? I liked > what we had. > > -- > Ben > Caradoc-Davies<ben.caradoc-dav...@csiro.au<mailto:ben.caradoc-dav...@csiro.au>> > Software Engineering Team Leader > CSIRO Earth Science and Resource Engineering > Australian Resources Research Centre > > -- Ben Caradoc-Davies <ben.caradoc-dav...@csiro.au> Software Engineering Team Leader CSIRO Earth Science and Resource Engineering Australian Resources Research Centre ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Geotools-devel mailing list Geotools-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
