> One thing I'd like to see is *every* JAR signed w/ certs under a
> single CA, say the Maven one.
Well, we have an ASF CA, which I would trust. Talk with Ben Laurie about
it.
--- Noel
Hi Steve,
I'd like to do whatever we can to get better security on this stuff. I
just need to get my head around what JAR signing provides in
comparison to key signing, and what impact it might have on existing
code. I'll read up on it.
Is there a rough timeframe on the next Ant release so we can
Hi,
I've been reading the security proposal for the maven2 repository @
http://docs.codehaus.org/display/MAVEN/Maven2+repository
One thing I'd like to see is *every* JAR signed w/ certs under a
single CA, say the Maven one. That way, if I go against a public
maven2 repository for JAR download, I
Brett Porter wrote:
There is another case:
maven.repo.central.directory=/www/www.apache.org/dist/java-repository
By Maven 1.0 this was deprecated. You can now specify multiple
deployment targets, so I have:
maven.repo.apache=scp://www.apache.org
maven.repo.apache.directory=/www/www.apache.org/dis
On Wed, 12 Jan 2005 08:53:04 -0500, Mark R. Diggory <[EMAIL PROTECTED]> wrote:
> As I was discussing in the jakarta-general list earlier. There are a
> number of projects with mavan project properties setup with the
> following parameter.
>
> maven.repo.remote=http://www.apache.org/dist/java-repos
As I was discussing in the jakarta-general list earlier. There are a
number of projects with mavan project properties setup with the
following parameter.
maven.repo.remote=http://www.apache.org/dist/java-repository/,http://www.ibiblio.org
Bretts correct that in this case the requests should fall
On Tue, 11 Jan 2005, Mark R. Diggory wrote:
> Date: Tue, 11 Jan 2005 19:31:22 -0500
> From: Mark R. Diggory <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Where to publish Xalan code on http://www.apache.org/dist
> (fwd)
[ I wrote : ]
> > Remove ?
[ Mark : ]
> I've been p
Henk P. Penning wrote:
My bad. I copied it to the wrong location. I fixed the JARs, forgot
the POMs and will remove them next time I have SSH access.
Ok ; fine ; I was afraid I missed something.
To generalise a little further, are all *SNAPSHOT* thingies in
the repository 'bad' (as in, don'
Henk P. Penning wrote:
Hm, it would seem the latest sanctioned 'maven' is in
/www/www.apache.org/dist/maven/binaries/maven-1.0.2.tar.gz
.. unpacking it shows me
maven-1.0.2/plugins/maven-site-plugin-1.5.2.jar
so the latest sanctioned maven-site-plugin appears to be '1.5.2'.
Or isn'
> Clearly there is vague definition here if this symlink can point at a
> release like this.
Yes, this is exactly the problem. Theoretical intention aside, all
SNAPSHOT means in practice now is that if you depend on it, Maven will
always check for something newer. What newer means is at the
discre
Dion,
Maybe I formed my ideas earlier in Mavens history when SNAPSHOT was
simply a symlink that could be moved to point at any release. Some
places in the repository actually have SNAPSHOT symlinks that point to a
fully versioned releases... These are not interim builds...
lrwxrwxr-x 1 jvanzyl
11 matches
Mail list logo
