On Tue, Apr 5, 2022 at 2:57 PM Dirk Fauth via cross-project-issues-dev < cross-project-issues-dev@eclipse.org> wrote:
> @Aleks > Maybe jetty is already signed correctly? How will be the process for > unsigned content? > This has been an ongoing topic for the last year or so. The core is https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/master/eclipse.platform.releng.tychoeclipsebuilder/pom.xml#L38 which defines which key to use to sign (every project has a gpg key which is available via the Jenkins build).There is a param that defines that only non-jarsigned content is signed with pgp as it's still preferred for our own artifacts to be jarsigned but changing upstream artifacts should be avoided when possible. > > > Christoph Läubrich <lae...@laeubi-soft.de> schrieb am Di., 5. Apr. 2022, > 13:54: > >> > When Maven Central is not OSGi artifact Orbit will be preferred. >> >> I can only encourage everyone to open a ticket for such project and help >> them to include OSGi meta-data in the first place instead of putting the >> effort else-where, as adding those does not harm the project but helps >> integration it with just a few extra lines in the manifest. >> >> Am 05.04.22 um 13:48 schrieb Aleksandar Kurtakov: >> > Hey everyone, >> > With PGP signing support, latest Tycho work and M2E extending PDE so >> > *.target files can refer/use dependencies from Maven Central directly >> > will prefer to use dependencies from Maven Central when updating to new >> > versions of libraries. >> > This would be done only when we update to a new version of libraries or >> > the dependency we use is no longer available in the latest Orbit build. >> > When Maven Central is not OSGi artifact Orbit will be preferred. >> > From releng POV it would simply remove the middle man (Orbit/EBR) as >> > Tycho automates what was achieved via EBR as an intermediate step to be >> > part of the regular build. >> > Extra benefits are: >> > * Eclipse will no longer ship modified version of upstream release (PGP >> > signature is in p2 metadata and not modifying the jar as jarsigner does) >> > * Eclipse will not longer ship bundles with symbolic names that do not >> > match upstream developers decision (as it happens with number of Orbit >> > artifacts) >> > * Version updates could be done in chunks rather than all changes at >> > once to work with latest Orbit >> > >> > I strongly encourage other projects to take that path too for third >> > party dependencies. >> > >> > >> > -- >> > Aleksandar Kurtakov >> > Red Hat Eclipse Team >> > >> > _______________________________________________ >> > cross-project-issues-dev mailing list >> > cross-project-issues-dev@eclipse.org >> > To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Aleksandar Kurtakov Red Hat Eclipse Team
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
