cstamas commented on PR #432: URL: https://github.com/apache/maven-resolver/pull/432#issuecomment-1955093864
Also, "artifact generator" is one thing, and its use for "signing" is another. If we remain at "publishing to Central" domain, where PGP signature is enforced, and signing, I am not satisfied with any of existing solutions: * maven-sign-plugin uses gpg executable * takari-sign-plugin cannot do ED25519 (but have cool ideas) * s4u sign plugin unused in ASF (but have cool ideas) So I just "brought" the best of all here. At least, that was my intent. And yes, IMO, "signing" is natural fit for "artifact generator" and IMO we should not complicate our build/POMs for something that _is an expected requirement_ (is like we'd need to add a plugin to POM to create checksums, something also required to publish to Central). Also, "signer" is extensible, so it does not have to get GnuPG, it could be something else as well... so in this way, it is _not in Maven Core_ (wired in), but can progress and change, maybe as an extension. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
