Hiram Chirino commented on ZOOKEEPER-224:

Hi Patrick,

1) Yeah.. same key used to sign the distro.  Just so that folks who get the 
artifacts from maven can verify that it's from a trusted source.

2) The /www/people.apache.org/repo/m2-ibiblio-rsync-repository directory is the 
Apache Maven2 release repository.  Only official releases should be pushed 
there.  Artifacts deployed here will get mirrored to the maven central 
repository.  You deploy to this the same way you deployed the release distro to 
people.apache.org:/www/www.apache.org/dist/hadoop/zookeeper.  I would just scp 
to people.apache.org:/www/people.apache.org/repo/m2-ibiblio-rsync-repository

3) Yes. The entire directory structure and files contained within the 
http://people.apache.org/~chirino/zk-repo/ directory need to be preserved.  If 
my directory had GPG signed all the artifacts (including poms), you would have 
been able to ssh into the people.apache.org machine and run: 
cp -r /x1/users/chirino/public_html/zk-repo/* 

4) Same implications that you have when your deploy your release distro to the 
people.apache.org:/www/www.apache.org/dist/hadoop/zookeeper directory.  As long 
as the people.apache.org does not get hacked only Apache committers can deploy 
a signed zk jar.  Just like with release distros, the onus of verifying jar 
signatures lies with the downstream user.  You guys should document this well 
on your website along with the KEYS file they should validate against.  And 
hope that the website hosting the KEYS file does not get hacked too :)  (The 
chain of trust and security is so fragile!)

> Deploy ZooKeeper 3.0.0 to a Maven Repository
> --------------------------------------------
>                 Key: ZOOKEEPER-224
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-224
>             Project: Zookeeper
>          Issue Type: Task
>          Components: build
>    Affects Versions: 3.0.0
>            Reporter: Hiram Chirino
>            Assignee: Patrick Hunt
>            Priority: Critical
> I've created the maven poms needed for the 3.0.0 release.  
> The directory structure and artifacts located at:
> http://people.apache.org/~chirino/zk-repo/
> aka
> people.apache.org:/x1/users/chirino/public_html/zk-repo
> Just need sto get GPG signed by the project KEY and deployed to:
> people.apache.org:/www/people.apache.org/repo/m2-ibiblio-rsync-repository
> Who's the current ZooKeeper release manager?

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

Reply via email to