Antoine Levy-Lambert wrote:
-------- Original-Nachricht --------
Datum: Mon, 05 Jun 2006 14:40:12 +0100
Von: Steve Loughran <[EMAIL PROTECTED]>
An: Ant Developers List <dev@ant.apache.org>
Betreff: Re: pgp key for signing files
We can't sign the binaries themselves, as java suddenly changes into
secure mode when that happens.
Hello Steve,
what we do sign using PGP are the .tar.bz2, .tar.gz and .zip files which
constitute the binary distribution. This is something different from signing a
jar. The individual ant jars are not signed by Java means.
Exactly. Having had an email discussion with ben laurie on the topic, we
should really have separate PGP key purely for signing these artifacts,
that is separate from anything used to encrypt emails. Why so? Because
when the UK goverment key retrieval clause in the RIPA bill engages,
they have the right to demand the decode keys from anyone subject to the
UK courts, namely uk citizens, residents or anyone just passing through
heathrow airport. I know the risk of the goverment demanding your PGP
key so that they can release their own patched version is pretty low,
but the risk is there.
We also need to look at the release docs to see if it covers
distribution to the maven repository.
Does this directory [1] have something to do with Maven ?
There are instructions to populate it in the release instructions [2].
In any case I would be curious to know what is the use of this java-repository.
I'm checking with repository@apache.org, home of the repository police
-the "repo men" :)
Regards,
Antoine
-steve
[1]http://archive.apache.org/dist/java-repository/ant/
[2] http://svn.apache.org/viewvc/ant/core/trunk/ReleaseInstructions?revision=278300&view=markup
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
