----- Original Message ----- > From: "Juan Hernandez" <[email protected]> > To: "Alon Bar-Lev" <[email protected]> > Cc: "arch" <[email protected]> > Sent: Thursday, November 22, 2012 10:48:33 AM > Subject: Re: oVirt artifacts at maven repository > > On 11/22/2012 08:15 AM, Alon Bar-Lev wrote: > > > > Hello, > > > > The otpoi and ovirt-host-deploy projects provides java artifacts so > > that ovirt-engine can be built using common constants and trivial > > parser. > > > > I would like to publish these artifacts at maven central to ease > > ovirt-engine build, as it will automatically fetch these > > dependencies just like every other dependency. > > > > In order to do so I need to sign the artifacts. > > > > Questions: > > > > Should we have unique key for each package? > > Should we have single key for all oVirt releases? > > > > The advantages of a key for each package is that the maintainer can > > release artifacts at will. > > The advantage of single key is that a single trust can be obtained. > > > > What do you think? > > When I have verified artifacts from maven (not many times, to be > honest) > I always found that they are signed by different individuals, even if > they are from related projects. > > I would suggest that the release manager for each project signs the > artifact with her/his key, as sharing private keys between different > people can be a nightmare, and not very secure. > > I would also suggest that release managers sing each other code > signing > keys.
Thank you, I don't think sharing a release key is a nightmare, as publishing artifacts or creating release is usually the role of 1-2 people. I don't like using personal keys on outputs as people come and go, and it is very hard to match between the personal key and authorized signer. I prefer single release key per release artifact (sub-project). Regards, Alon _______________________________________________ Arch mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/arch
