Brett Porter wrote:
> Currently, it has checking turned on by default, but that isn't going to
be
> a reasonable setting for some releases to come until the signatures in the
> repository are cleaned up.
Why not enforce checking, but provide the ability for users to manually
approve unsigned artifacts? Once you cache the downloaded artifact, you
should not have to approve from cache.
> For the releases to be identified as from the incubator, they'll need to
be
> signed solely by "the incubator". Did you want to elaborate on how you
> anticipated that set up working?
There are a variety of options, as have been discussed in this thread. An
obvious, and overly simple, solution is a designated signing key for the
Incubator PMC, and we maintain strict control over the private key. Just
having a naive WoT is insufficient, since while I might be authorized to
release for JAMES or the Incubator, I am not authorized to release for
Maven.
But Henning, Dw, Ben (Laurie), Justin and others have experience in this
area, and the details should probably be discussed on infrastructure-dev.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
