On Sat, May 31, 2008 at 3:30 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote: > Brett Porter wrote: > >> Noel J. Bergman: >> > I really don't care what cuts across the grain of Maven. I do care > about >> > the established principle that people must make a deliberate decision to > use >> > Incubator artifacts. If Maven would finally support enforcing signing > of >> > artifacts, as they have been asked to do for years, we could use an >> > Incubator-specific signing key, forcing people to approve the use of >> > Incubator artifacts, regardless of download location. > >> You're asking for it to enforce the use of signed artifacts out of the >> box, not enforce signing. > > Yes. As noted in my reply to Brian E. Fox in his renamed thread "enforced > signing of artifacts".
i've talked at length about this before (IIRC with brett and others) and done quite a bit of thinking. it is a much more general issue than just maven. one signature isn't good enough. it would be good for maven to lead the way but IMO we need a comprehensive solution for all apache releases. - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
