On 29 Jul 2014, at 12:14 pm, Mark Derricutt <[email protected]> wrote:
> Hey all, > > Just been reading [1] after it was mentioned in both #scala and #clojure on > irc.freenode.org now, is there anything that can be done to alleviate some of > these issues? > > oss.sonatype.org now requires everything to be GPG signed before being > uploaded to central, but I'm not sure about any of the other means of getting > artifacts uploaded. > > Are there any plugins out there to verify GPG signings of dependencies? If anyone is interested in picking up work on this, I pulled some things together some years ago: http://docs.codehaus.org/display/MAVEN/Repository+Security There was a working prototype against Maven 2, but for various reasons didn't get further than that. - Brett --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
