Brett Porter wrote:
> Noel J. Bergman:
> > I really don't care what cuts across the grain of Maven. I do care
about
> > the established principle that people must make a deliberate decision to
use
> > Incubator artifacts. If Maven would finally support enforcing signing
of
> > artifacts, as they have been asked to do for years, we could use an
> > Incubator-specific signing key, forcing people to approve the use of
> > Incubator artifacts, regardless of download location.
> You're asking for it to enforce the use of signed artifacts out of the
> box, not enforce signing.
Yes. As noted in my reply to Brian E. Fox in his renamed thread "enforced
signing of artifacts".
> I still think that's some time off from happening
Well, you know how I feel about that ...
> I'm more than happy to throw an enforcer rule into the next Maven
> release that warns users if they are:
> - using the incubator repository
> - using an artifact from org.apache.* with version *-incubating.
> and point them to a URL to learn more.
> Will that do?
Wearing my Incubator PMC hat? Possibly. Please elaborate. Wearing my
security hat? Not in the slightest, but I'm willing to focus on the
Incubator's issues here.
Obviously, this won't solve the problem of people using older versions of
Maven, but I'm not sure if there is a good solution to that, is there?
> > By the way, there has been some talk in Infrastructure about shutting
down
> > the ASF's repository entirely if Maven does not provide enforcement of
> > signed artifacts, due to security concerns.
> Can you point me to the message ID and list? I don't recall it.
Would have been on infra@ a time or few over the years.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
