Quoting Olivier Lamy <[email protected]>:
Hi,
You say ".... staging/releases ...".
Really ?
You want to share a gpg key which can sign official Apache release in
an external system where you don't have any control on who has access
and read files ?
I don't think that was the plan. Signed releases have not been
produced on external systems so far, either.
As Andrew B's question pointed out, we would only need to look at a
solution for this if *snapshots* are also expected to be signed. Is
that the case?
We haven't been signing them so far (see e.g. [1]), hence have not run
into this problem yet...
Thanks!
ap
[1]
https://oss.sonatype.org/content/repositories/snapshots/org/jclouds/jclouds-project/1.7.0-SNAPSHOT/
