On 17-Jul-08, at 3:35 AM, Brett Porter wrote:
I've checked in my work so far on this. It's a pretty small and
straightforward set of changes and it works for a project using
signed artifacts and plugins. Of course, it gets very unhappy about
the distinct lack of signatures in central on most projects.
I am going to look at creating a second repository on central that
contains only signatures. I'll copy across the ones that already
exist, and generate them using the shared "I trust the old
repository" key. I'll have it mod_rewrite anything that isn't a
detached signature to the old repo, so you can use the alternate URL
as an "alternate", signed, central repo. It won't take up much space
(which I'll verify) and I'll not be evolving the signatures at this
time as it's just a prototype.
Any comments?
It's just a prototype. I say go for it and then write it up.
At the same time we have work in Mercury that myself, Oleg, Jesse,
Greg, and Jan have worked on Mercury in a significant way. Shane is
currently working on the new POM builder but he's got some working PGP
work that will be integrated into Mercury as well. Once this work is
done we will propose using that in 2.1 and I see Mercury becoming the
defacto standard for dealing with Maven repositories.
But prototype away!
Cheers,
Brett
On 12/07/2008, at 2:42 AM, Brett Porter wrote:
Hi,
I've wanted to pick up my work on this for some time and was
prodded by the [EMAIL PROTECTED] threads to take another crack at
this.
http://docs.codehaus.org/display/MAVEN/Repository+Security (the
issue and related branches are linked)
I've created a couple of branches to try integrating the work again
in as simple and non-intrusive manner (both in code and to the
user) as possible. I already have commons-openpgp in the sandbox
from some time ago to deal with processing the signatures (it
doesn't have any external dependencies other than bouncy castle),
so I'll integrate that.
If anyone else wants to offer feedback or dive in, you're more than
welcome!
Cheers,
Brett
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]