Re: repository.apache.org, gpg signatures and site:attach-descriptor
What I saw is some of those staged artifacts were missing signatures. Nexus works correctly, it only complained the missing ones, not all. On Wed, Jan 13, 2010 at 2:32 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: 2010/1/13 Brian Fox bri...@infinity.nu: We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of the sigs? This morning it was complaining about all the sigs. I'm not sure, you'd need to ask Juven. On Tue, Jan 12, 2010 at 5:53 PM, Wendy Smoak wsm...@gmail.com wrote: On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- - juven
Re: repository.apache.org, gpg signatures and site:attach-descriptor
I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then the site descriptor needs to be pushed to the repo too... therefore m-site-p is correct to attach it (but possibly incorrect attaching it directly to project.artifact) In any case MGPG-19 reflects this crazy model of attaching artifacts to a project because m-gpg-p does not look in this (frankly unknown to me) other way of attaching an artifact. If we are to fix this it will require re-deploying all the parents after deploying a new m-gpg-p... all of which I suspect will require turning off gpg validation on r.a.o first -Stephen 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
You can use 3.x, I removed the site stuff from the lifecycle :-) On 2010-01-12, at 12:42 PM, Stephen Connolly wrote: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Why is the site descriptor being generated for surefire? The shade release two weeks ago didn't generate a site file: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-shade-plugin/1.3/ and neither did the patch plugin: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-patch- plugin/1.1.1/ Dan On Tue January 12 2010 12:51:55 pm Stephen Connolly wrote: The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then the site descriptor needs to be pushed to the repo too... therefore m-site-p is correct to attach it (but possibly incorrect attaching it directly to project.artifact) In any case MGPG-19 reflects this crazy model of attaching artifacts to a project because m-gpg-p does not look in this (frankly unknown to me) other way of attaching an artifact. If we are to fix this it will require re-deploying all the parents after deploying a new m-gpg-p... all of which I suspect will require turning off gpg validation on r.a.o first -Stephen 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Then project site generation will be borked (even more than usual) I've no issues using 3.0-SNAPSHOT 2010/1/12 Jason van Zyl ja...@sonatype.com: You can use 3.x, I removed the site stuff from the lifecycle :-) On 2010-01-12, at 12:42 PM, Stephen Connolly wrote: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Look at the POM lifecycle. The site stuff is wedged in there. I removed this in 3.x. http://svn.apache.org/repos/asf/maven/maven-2/tags/maven-2.2.0/maven-core/src/main/resources/META-INF/plexus/components.xml On 2010-01-12, at 12:59 PM, Daniel Kulp wrote: Why is the site descriptor being generated for surefire? The shade release two weeks ago didn't generate a site file: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-shade-plugin/1.3/ and neither did the patch plugin: http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-patch- plugin/1.1.1/ Dan On Tue January 12 2010 12:51:55 pm Stephen Connolly wrote: The root cause seems to be that m-gpg-p does not consider that project.artifact may have multiple entries (specifically the site metadata) We can argue that the site needs to be decoupled from releasing, but as the site descriptor is one of the artifacts of a project (as opposed to the site) then the site descriptor needs to be pushed to the repo too... therefore m-site-p is correct to attach it (but possibly incorrect attaching it directly to project.artifact) In any case MGPG-19 reflects this crazy model of attaching artifacts to a project because m-gpg-p does not look in this (frankly unknown to me) other way of attaching an artifact. If we are to fix this it will require re-deploying all the parents after deploying a new m-gpg-p... all of which I suspect will require turning off gpg validation on r.a.o first -Stephen 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: Fair enough, but we cannot make releases as things currently stand 2010/1/12 Jason van Zyl ja...@sonatype.com: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
Jason van Zyl wrote: The site stuff needs to be completely decoupled from releases. It such a horrible coupling and causes nothing but problems. Release and the documentation that goes along with it are completely separate. That might be so, but the site descriptor is needed for (site) inheritance reasons and therefor needs to be deployed to the repo. On 2010-01-12, at 12:08 PM, Daniel Kulp wrote: Why does the site descriptor need to be released as part of the plugin? Why not release surefire without it? It's definitely a bug, but I'm failing to see why it's a blocker for now. Dan On Tue January 12 2010 11:56:28 am Stephen Connolly wrote: I've raised http://jira.codehaus.org/browse/MGPG-19 to track the root cause. A temporary work around would be to disable GPG validation on r.a.o -Stephen P.S. I'm blocked from releasing Surefire 2.5 due to this issue 2010/1/12 Stephen Connolly stephen.alan.conno...@gmail.com: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. Or do other people have information to the contrary? -Stephen - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org -- Dennis Lundberg - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
On 13/01/2010, at 4:59 AM, Daniel Kulp wrote: Why is the site descriptor being generated for surefire? Because it has an inherited site descriptor to share across the subprojects: http://svn.apache.org/viewvc/maven/surefire/tags/surefire-2.5/src/site/site.xml?view=log For Stephen to work around this, he could remove that from target/checkout and then run release:perform again (And put it back for site deployment). We should look into why GPG isn't going the right thing regardless, otherwise it may affect other projects (in which case, Brian may need to implemented some exclusion rule for site descriptors on the check). - Brett -- Brett Porter br...@apache.org http://brettporter.wordpress.com/ - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of the sigs? This morning it was complaining about all the sigs. On Tue, Jan 12, 2010 at 5:53 PM, Wendy Smoak wsm...@gmail.com wrote: On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: repository.apache.org, gpg signatures and site:attach-descriptor
2010/1/13 Brian Fox bri...@infinity.nu: We should definitely fix this, both in the GPG and in Nexus. Currently it expects all files to be signed and this is the first one we've come across that wasn't signed. I'll disable the rule now until it's sorted out and close the repo for you. Stephen, what ended up being the fix for the rest of the sigs? This morning it was complaining about all the sigs. I'm not sure, you'd need to ask Juven. On Tue, Jan 12, 2010 at 5:53 PM, Wendy Smoak wsm...@gmail.com wrote: On Tue, Jan 12, 2010 at 9:43 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: For some reason the site descriptor does not get a signature generated by the gpg plugin. As r.a.o now requires all artifacts to be signed, it would appear to be impossible to close a staged repository. If it's going in the repo, I'd like to see it signed... but this hasn't been happening up to now, so it probably shouldn't block this release. The archetype catalog is another file that may be a problem, I noticed it wasn't signed in a recent Struts release. Is the list of files that require a signature configurable? -- Wendy - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org