Re: status of PGP support in Maven

Fri, 03 Oct 2008 13:54:22 -0700 

On Fri, Oct 3, 2008 at 8:50 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote:
> Moved to the thread it belongs in ...
>
> Jason van Zyl wrote:
>> Noel J. Bergman wrote:
>> > Emmanuel Lecharny wrote:
>>>> Better a bad decision than no decision, otherwise, soon, nobody will
>>>> vote anymore...
>>> Not really.  Consider that there appears to be a clear consensus
>>> that if Maven were to fix the download situation, requiring that users
>>> approve the user of Incubator artifacts, rather than transparently use
>>> them,  many of the -1 would be +1.
>
>> That's unlikely to happen. We're not going to be implementing policy
>> enforcement for you.
>
> We don't need for you to implement any "policy" other than the requirement
> for users to approve authorized signing keys.  You simply need to implement
> artifact signing and mandatory authorization, which is why I've moved this
> to the thread Brett started for purposes of discussing signing.

I'm trying to understand why authorization should be mandatory? To my
knowledge, only some of the Linux package management tools (apt, port,
rpm, yum) verify signatures by default and in the event of failure,
they allow you to continue without the key verification.

Also, I've actually spoken to a number of folks about GPG verification
of artifacts over the last year and very few folks actually use this
today.

> Did you not see what just happened to Redhat with respect to Fedora?  They
> take artifact security seriously.  For a long time, it has appeared that
> Maven does not, but I am hopeful now that mandatory authorization will
> appear, so that I and others will not have to increase lobbying efforts to
> have the Maven repository closed, at least with respect to ASF projects.

Please explain what happened to RedHat with respect to Fedora. I'm not
familiar with the situation.

Bruce
-- 
perl -e 'print unpack("u30","D0G)[EMAIL 
PROTECTED]&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'

Apache ActiveMQ - http://activemq.org/
Apache Camel - http://activemq.org/camel/
Apache ServiceMix - http://servicemix.org/

Blog: http://bruceblog.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to