[
https://issues.apache.org/jira/browse/ZOOKEEPER-224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12649119#action_12649119
]
Hiram Chirino commented on ZOOKEEPER-224:
-----------------------------------------
Hi Patrick,
1) Yeah.. same key used to sign the distro. Just so that folks who get the
artifacts from maven can verify that it's from a trusted source.
2) The /www/people.apache.org/repo/m2-ibiblio-rsync-repository directory is the
Apache Maven2 release repository. Only official releases should be pushed
there. Artifacts deployed here will get mirrored to the maven central
repository. You deploy to this the same way you deployed the release distro to
people.apache.org:/www/www.apache.org/dist/hadoop/zookeeper. I would just scp
to people.apache.org:/www/people.apache.org/repo/m2-ibiblio-rsync-repository
3) Yes. The entire directory structure and files contained within the
http://people.apache.org/~chirino/zk-repo/ directory need to be preserved. If
my directory had GPG signed all the artifacts (including poms), you would have
been able to ssh into the people.apache.org machine and run:
{code}
cp -r /x1/users/chirino/public_html/zk-repo/*
/www/people.apache.org/repo/m2-ibiblio-rsync-repository
{code}
4) Same implications that you have when your deploy your release distro to the
people.apache.org:/www/www.apache.org/dist/hadoop/zookeeper directory. As long
as the people.apache.org does not get hacked only Apache committers can deploy
a signed zk jar. Just like with release distros, the onus of verifying jar
signatures lies with the downstream user. You guys should document this well
on your website along with the KEYS file they should validate against. And
hope that the website hosting the KEYS file does not get hacked too :) (The
chain of trust and security is so fragile!)
> Deploy ZooKeeper 3.0.0 to a Maven Repository
> --------------------------------------------
>
> Key: ZOOKEEPER-224
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-224
> Project: Zookeeper
> Issue Type: Task
> Components: build
> Affects Versions: 3.0.0
> Reporter: Hiram Chirino
> Assignee: Patrick Hunt
> Priority: Critical
>
> I've created the maven poms needed for the 3.0.0 release.
> The directory structure and artifacts located at:
> http://people.apache.org/~chirino/zk-repo/
> aka
> people.apache.org:/x1/users/chirino/public_html/zk-repo
> Just need sto get GPG signed by the project KEY and deployed to:
> people.apache.org:/www/people.apache.org/repo/m2-ibiblio-rsync-repository
> Who's the current ZooKeeper release manager?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
