[ https://issues.apache.org/jira/browse/ZOOKEEPER-224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649119#action_12649119 ]
Hiram Chirino commented on ZOOKEEPER-224: ----------------------------------------- Hi Patrick, 1) Yeah.. same key used to sign the distro. Just so that folks who get the artifacts from maven can verify that it's from a trusted source. 2) The /www/people.apache.org/repo/m2-ibiblio-rsync-repository directory is the Apache Maven2 release repository. Only official releases should be pushed there. Artifacts deployed here will get mirrored to the maven central repository. You deploy to this the same way you deployed the release distro to people.apache.org:/www/www.apache.org/dist/hadoop/zookeeper. I would just scp to people.apache.org:/www/people.apache.org/repo/m2-ibiblio-rsync-repository 3) Yes. The entire directory structure and files contained within the http://people.apache.org/~chirino/zk-repo/ directory need to be preserved. If my directory had GPG signed all the artifacts (including poms), you would have been able to ssh into the people.apache.org machine and run: {code} cp -r /x1/users/chirino/public_html/zk-repo/* /www/people.apache.org/repo/m2-ibiblio-rsync-repository {code} 4) Same implications that you have when your deploy your release distro to the people.apache.org:/www/www.apache.org/dist/hadoop/zookeeper directory. As long as the people.apache.org does not get hacked only Apache committers can deploy a signed zk jar. Just like with release distros, the onus of verifying jar signatures lies with the downstream user. You guys should document this well on your website along with the KEYS file they should validate against. And hope that the website hosting the KEYS file does not get hacked too :) (The chain of trust and security is so fragile!) > Deploy ZooKeeper 3.0.0 to a Maven Repository > -------------------------------------------- > > Key: ZOOKEEPER-224 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-224 > Project: Zookeeper > Issue Type: Task > Components: build > Affects Versions: 3.0.0 > Reporter: Hiram Chirino > Assignee: Patrick Hunt > Priority: Critical > > I've created the maven poms needed for the 3.0.0 release. > The directory structure and artifacts located at: > http://people.apache.org/~chirino/zk-repo/ > aka > people.apache.org:/x1/users/chirino/public_html/zk-repo > Just need sto get GPG signed by the project KEY and deployed to: > people.apache.org:/www/people.apache.org/repo/m2-ibiblio-rsync-repository > Who's the current ZooKeeper release manager? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.