>I really don't care what cuts across the grain of Maven. I do care about >the established principle that people must make a deliberate decision to use >Incubator artifacts. If Maven would finally support enforcing signing of >artifacts, as they have been asked to do for years, we could use an >Incubator-specific signing key, forcing people to approve the use of >Incubator artifacts, regardless of download location.
Can you elaborate more on what you mean here? I've been on the Maven PMC for over a year now and this is the first I've heard of it. We do support signing of artifacts and all the maven releases are signed. We obviously don't control all the other Apache projects in a way to enforce that they sign their artifacts. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
