On 9/15/06, Hiram Chirino <[EMAIL PROTECTED]> wrote:
On 9/14/06, robert burrell donkin <[EMAIL PROTECTED]> wrote: > On 9/14/06, Hiram Chirino <[EMAIL PROTECTED]> wrote: > > On 9/14/06, robert burrell donkin <[EMAIL PROTECTED]> wrote:
<snip>
> > If this was not the case > > then every artifact in the maven repo would need to be signed and that > > seems like a bit of overkill. > > the policy is clear - they must be signed. this might seem like > overkill until you consider the cost to your personal reputation if an > unsigned jar is substituted by malware. signing by release managers is > an easy and effective protection which is why infrastructure insists > upon it. in the (hopefully unlikely) event of a compromise, it is much > easier and quicker for a release manager to verify that the signature > is still valid than to recut the release. > Does anybody know if there is a way to get maven to sign every artifact that get deployed? As far as I know that does not exist yet.
the last i heard it is planned but is currently stalled, waiting on the completion of a signing utility. maybe someone who knows more might like to jump in about now... - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
