Thanks Brett, this was the info I was looking for.
The repo security work looks like it's a ways out. Would you be
amenable to a patch to the DefaultWagonManager that did PGP signature
validation? My current thinking would be to base the code on the
bouncycastle PGP support (so that PGP isn't required to be installed on
the system) and offer a set of maven config properties for locating the
keyring, whether the signature is required, etc. Famous last words, but
it doesn't seem like it should be too difficult, looking at the existing
code.
Brett Porter wrote:
You might be interested in the work linked from this page:
http://docs.codehaus.org/display/MAVEN/Repository+Security
It would certainly be a useful addition to add a preliminary check
mojo to the existing gpg plugin as well.
The code you are referring to is the DefaultWagonManager in
maven-artifact (maven-artifact-manager in 2.0.x).
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[EMAIL PROTECTED], http://www.switch.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
