How would that work logistically? I publish RC
artifacts, and once they're voted on, you sign the
same artifacts that presumably you personally
reviewed? Doesn't that necessarily force us -not- to
use the full mvn process?
Indeed - that's would mean not using the gpg maven plugin
Let's get him signed :)
I have seen mentioned the idea of getting a signing
done without a F2F.
Why? Where are you located? Antarctica? ;-)
If anyone has ideas on how to
make this secure, I'm all ears. Otherwise, how many
signatures are needed? Or does it just depend on how
strongly trusted (how many signatures IT has) a given
signature is?
I'd think a signature from just a few apache folks would do.
cheers
--
Torsten
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
