On Fri, 2008-10-03 at 11:20 -0400, Noel J. Bergman wrote:
> Henning Schmiedehausen wrote:
>
> > There is a pretty nice proposal on
> > http://people.apache.org/~henkp/trust/, however this will again take a
> > piece of "freedom of doing software at Apache" away and introduce some
> > administrative overhead that all projects must implement and manage.
>
> But, as you say, it is worth doing something, whether exactly that or not,
> because
>
> > Formalizing the signing of our releases would be a huge step towards a
> > reliable validation for the Apache software releases.
>
> > It still does not help you with third-party releases, though.
>
> Is it our problem if you mean a third party, e.g., IBM, releasing our code
> as part of their own commercial product?
Actually I meant verifying/validating the third party dependencies that
Apache projects *use*. So even if we go through all the pains of making
sure that our users really get "apache-baz-1.0", it might just pull in
"some-random-dependency-from-sourceforge-1.0" which can not be
validated.
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
