On 9/14/06, Hiram Chirino <[EMAIL PROTECTED]> wrote:
On 9/14/06, robert burrell donkin <[EMAIL PROTECTED]> wrote: > On 9/14/06, Hiram Chirino <[EMAIL PROTECTED]> wrote:
<snip>
> a few notes: > > the MANIFEST files are probably not compliant with the Sun standards. > would be better with Extension-Name, Specification-Title, > Specification-Vendor, Specification-Version, Implementation-Vendor-Id, > Implementation-Title, Implementation-Vendor and > Implementation-Version. choice of artifactId name is a little > unintuitive (but i suspect that there may be reasons for this). > Maven is generating our MANIFEST for us.. I'll have to do a little digging into this.
MANIFESTs are a thorny subject: lots of specs which taken interpretation. sadly compliance in this area by maven is weak. http://jakarta.apache.org/commons/releases/prepare.html#checkjarmanifest may be of use.
> remember that you'll need to create signatures before uploading. > AFAIK, projects only sign distributions.
true but jars are distributions too. policy applies equally to all distributions
If this was not the case then every artifact in the maven repo would need to be signed and that seems like a bit of overkill.
the policy is clear - they must be signed. this might seem like overkill until you consider the cost to your personal reputation if an unsigned jar is substituted by malware. signing by release managers is an easy and effective protection which is why infrastructure insists upon it. in the (hopefully unlikely) event of a compromise, it is much easier and quicker for a release manager to verify that the signature is still valid than to recut the release.
This is not a distribution but just a set of jars that our main distribution will depend on.
-1 every distributed artifact must be signed. jars are distributions. they must be signed. - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
