On Nov 3, 2009, at 5:17 AM, Sean Owen wrote:
The core artifacts aren't signed, or are you referring to the ancillary artifacts like Hadoop stuff?
Any and all artifacts that we put up under our stuff are our artifacts and people need to be able to verify that what we put up is what we intended to put up.
In theory all the signs should have been signed, so if that didn't work, darn. It sure seems like it should, given that we added the GPG plugin. I am out of ideas.
The GPG plugin is not working on the artifacts produced by the deploy target for the dependencies.
If it's just that these ancillary artifacts aren't being signed, that's not great, but they have never been signed, and they are going away. I'm weighing that against increasing urgency to not be stuck in no-man's-land for release -- especially since, if I understand correctly, we have a release ready to go. As Ted says, the bar for 0.2 is low,
Unfortunately, when it comes to the legal bits, the bar is not low. It needs to be done right. I will likely hand sign them today or tomorrow and then reopen the JIRA issue.
-Grant
