On 6/2/08, Noel J. Bergman [EMAIL PROTECTED] wrote:
Robert Burrell Donkin wrote:
my conclusion was that meta-data signed by [keys in the] WoT would be good
enough.
there's no need to distribute a master key
+1
key management is tricky
Not that tricky. Let's not make as if this isn't
I thought this thread started with the idea : if maven would be able
to validate signature, we could use this feature to inform someone
that he is using incubator artefacts.
I thought the idea that launched this thread was to have a unique key
for the incubator that the user has as to trust if he
On 6/3/08, Gilles Scokart [EMAIL PROTECTED] wrote:
I thought this thread started with the idea : if maven would be able
to validate signature, we could use this feature to inform someone
that he is using incubator artefacts.
I thought the idea that launched this thread was to have a unique key
2008/5/31 Noel J. Bergman [EMAIL PROTECTED]:
Implement that, and we're fine. We will
require Incubator artifacts to be signed by a designated key available to
the PMC, and once a user has acknowledged that they accept such Incubator
signed artifacts, maven can do what it wants with them.
Gilles Scokart wrote:
Noel J. Bergman:
Implement that, and we're fine. We will
require Incubator artifacts to be signed by a designated key available
to
the PMC, and once a user has acknowledged that they accept such
Incubator
signed artifacts, maven can do what it wants with them.
On Mon, Jun 2, 2008 at 7:29 PM, William A. Rowe, Jr.
[EMAIL PROTECTED] wrote:
Noel J. Bergman wrote:
Gilles Scokart wrote:
Noel J. Bergman:
Implement that, and we're fine. We will
require Incubator artifacts to be signed by a designated key available
to
the PMC, and once a user has
On Sat, May 31, 2008 at 8:11 PM, Craig L Russell [EMAIL PROTECTED] wrote:
On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
On Sat, May 31, 2008 at 3:42 AM, Brett Porter [EMAIL PROTECTED]
wrote:
2008/5/31 Brian E. Fox [EMAIL PROTECTED]:
Can you elaborate more on what you mean
: enforced signing of artifacts, [was maven repository]
On Sat, May 31, 2008 at 8:11 PM, Craig L Russell [EMAIL PROTECTED]
wrote:
On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
On Sat, May 31, 2008 at 3:42 AM, Brett Porter
[EMAIL PROTECTED]
wrote:
2008/5/31 Brian E. Fox [EMAIL
Robert Burrell Donkin wrote:
my conclusion was that meta-data signed by [keys in the] WoT would be good
enough.
there's no need to distribute a master key
+1
key management is tricky
Not that tricky. Let's not make as if this isn't done routinely elsewhere.
this is where the complexity
William A. Rowe, Jr. wrote:
Why is it not equally possible to validate against a short list of keys
(e.g. infra PMC members) and their immediate trust. This is what gpg is
good at.
First get the code built into Maven for actually checking the signatures and
we're golden, with multiple
Brian E. Fox wrote:
I think this thread belongs on the Maven lists as it's is only
tangential to the decision about the incubator repository.
Well, that's not entirely true. It is rather key to a satisfactory
resolution, with the possible exception of some interim measure.
The process for
On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin
[EMAIL PROTECTED] wrote:
IMO this isn't really a maven issue: basic checks should be performed
on all releases. i favour a private subversion repository with custom
hooks for release publishing.
I think it very much is a maven issue.
On Sat, May 31, 2008 at 9:05 AM, James Carman
[EMAIL PROTECTED] wrote:
On Sat, May 31, 2008 at 1:33 AM, Robert Burrell Donkin
[EMAIL PROTECTED] wrote:
IMO this isn't really a maven issue: basic checks should be performed
on all releases. i favour a private subversion repository with custom
On May 30, 2008, at 10:33 PM, Robert Burrell Donkin wrote:
On Sat, May 31, 2008 at 3:42 AM, Brett Porter
[EMAIL PROTECTED] wrote:
2008/5/31 Brian E. Fox [EMAIL PROTECTED]:
Can you elaborate more on what you mean here? I've been on the
Maven PMC
for over a year now and this is the first
Brian E. Fox wrote:
I really don't care what cuts across the grain of Maven. I do care
about the established principle that people must make a deliberate
decision to use Incubator artifacts. If Maven would finally support
enforcing signing of artifacts, as they have been asked to do for
2008/5/31 Brian E. Fox [EMAIL PROTECTED]:
Can you elaborate more on what you mean here? I've been on the Maven PMC
for over a year now and this is the first I've heard of it.
We do support signing of artifacts and all the maven releases are
signed. We obviously don't control all the other
16 matches
Mail list logo