Henning Schmiedehausen wrote: > There is a pretty nice proposal on > http://people.apache.org/~henkp/trust/, however this will again take a > piece of "freedom of doing software at Apache" away and introduce some > administrative overhead that all projects must implement and manage.
But, as you say, it is worth doing something, whether exactly that or not, because > Formalizing the signing of our releases would be a huge step towards a > reliable validation for the Apache software releases. > It still does not help you with third-party releases, though. Is it our problem if you mean a third party, e.g., IBM, releasing our code as part of their own commercial product? > IMHO: Anyone who is using maven for commercial software development and > does not run a controlled, in-house repository that is actively managed > and maintained is IMHO in for big, ugly surprises in the long run. +1 Unfortunately, I believe that you'd be taking about a "high 9s" percentage of the population of Maven users who do NOT follow that rule. --- Noel --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]