On 11/22/2012 08:15 AM, Alon Bar-Lev wrote: > > Hello, > > The otpoi and ovirt-host-deploy projects provides java artifacts so that > ovirt-engine can be built using common constants and trivial parser. > > I would like to publish these artifacts at maven central to ease ovirt-engine > build, as it will automatically fetch these dependencies just like every > other dependency. > > In order to do so I need to sign the artifacts. > > Questions: > > Should we have unique key for each package? > Should we have single key for all oVirt releases? > > The advantages of a key for each package is that the maintainer can release > artifacts at will. > The advantage of single key is that a single trust can be obtained. > > What do you think?
When I have verified artifacts from maven (not many times, to be honest) I always found that they are signed by different individuals, even if they are from related projects. I would suggest that the release manager for each project signs the artifact with her/his key, as sharing private keys between different people can be a nightmare, and not very secure. I would also suggest that release managers sing each other code signing keys. -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. _______________________________________________ Arch mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/arch
