Jason van Zyl wrote: > Noel, your comments are completely out of whack with reality. You are > asking Maven to enforce something that no one does. Pretty much > almost no one.
> Checking PGP signatures is obviously not something the vast majority of people do. Really? Try following the instructions at http://www.medibuntu.org/ for adding the repository without adding the PGP key, and see how well it works. Not that I am suggesting a single, centralized, master key for the entire repository. And, again, RedHat takes it so seriously that they shutdown their distribution network when they had even the slightest concern that the signing keys were compromised. If you are saying that we don't have signed packages, I agree with you that more projects should be signing. I have signed JAMES releases for years. But the problem is much worse when using Maven, since users haven't a clue as to the provanance of the artifacts they don't even realize that they are loading onto their systems. In any event, this discussion should be moved to eithe repository@ or [EMAIL PROTECTED] --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
