On Fri, 2008-10-03 at 12:31 -0400, Noel J. Bergman wrote:
>
> We don't have to. We can simply mandate that every ASF project sign their
> artifacts and charge the Maven PMC with enforcing it.
No. The Maven PMC is charged with developing software for the Apache
Maven project. If we really want to put a distribution policy in place
and enforce it, I can see us creating a repository PMC which does this
(and talk to Maven about the features that they would like to see or
(gasp!) implement them and contribute them back to Maven. I would see
such a PMC as part of or collaborating with Infrastructure.
Maven is a piece of software, not a distribution mechanism. They just
happen to build it because no one else did.
> And perhaps now you start to gain a glimer of the depth of the problem
> created by Maven's irresponsible, unconscionable, lackadaisical, attitude
> towards security, despite other repository exemplars (e.g., linux
> distributions), having had security in place for years. Yes, it may be a
Please stop it, Noel. This is not constructive.
Ciao
Henning
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
