Emmanuel Bourg: > Hi Thomas, > > I'm a committer on the Apache Commons project, if you have an itch to > scratch with one of the libraries (commons-lang, commons-collections, > etc) I should be able to help quickly. > > Do you have specific examples of Apache projects affected by the issues > you mentioned?
Hi Emmanuel, thank you for offering your help. As I wrote, it would be very helpful, if somebody (you) could start to lobby for sane artifact signing on Apache Conferences and on mailing lists. It doesn't make sense to sign release artifacts with GPG keys as long as those keys don't have any signature that would link them to the web-of-trust. So you could start to run key signing parties on Apache events or with your team mates. Second thing is with source tarballs or Git repos. For building a Debian package we need a source tarball that does not contain any non-free or binary artifacts. The typical ant project has a lib/ folder containing jars. We need to repackage and get rid of the lib/ folder. So it's generally a good thing if projects move to maven or use at least ivy. Regards, Thomas Koch, http://www.koch.ro -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201303220853.07199.tho...@koch.ro
