Moved to the thread it belongs in ... Jason van Zyl wrote: > Noel J. Bergman wrote: > > Emmanuel Lecharny wrote: >>> Better a bad decision than no decision, otherwise, soon, nobody will >>> vote anymore... >> Not really. Consider that there appears to be a clear consensus >> that if Maven were to fix the download situation, requiring that users >> approve the user of Incubator artifacts, rather than transparently use >> them, many of the -1 would be +1.
> That's unlikely to happen. We're not going to be implementing policy > enforcement for you. We don't need for you to implement any "policy" other than the requirement for users to approve authorized signing keys. You simply need to implement artifact signing and mandatory authorization, which is why I've moved this to the thread Brett started for purposes of discussing signing. Did you not see what just happened to Redhat with respect to Fedora? They take artifact security seriously. For a long time, it has appeared that Maven does not, but I am hopeful now that mandatory authorization will appear, so that I and others will not have to increase lobbying efforts to have the Maven repository closed, at least with respect to ASF projects. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]