On Wed, Apr 23, 2008 at 12:29 PM, Chad La Joie <[EMAIL PROTECTED]> wrote: > I know about, and use, the plugin for creating PGP signatures of artifacts. > Is there a mechanism to validate the signatures of incoming dependencies?
Not at present. The first thing I'd like to see is a goal added to the plugin that can check the signature for a single artifact. Checking signatures as artifacts are proxied is also a good feature for a repository manager. I know we've talked about it for Archiva. Do you have an opinion on where the signature file ought to come from? I've collected two opinions, one that the signature should only be downloaded from a trusted source (even if the artifact comes from a mirror,) and the other that it doesn't matter because you'd use the web of trust built up by cross-signed keys to determine whether or not to accept the artifact. -- Wendy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
