On Sat, May 31, 2008 at 3:42 AM, Brett Porter <[EMAIL PROTECTED]> wrote: > 2008/5/31 Brian E. Fox <[EMAIL PROTECTED]>: >> Can you elaborate more on what you mean here? I've been on the Maven PMC >> for over a year now and this is the first I've heard of it. >> >> We do support signing of artifacts and all the maven releases are >> signed. We obviously don't control all the other Apache projects in a >> way to enforce that they sign their artifacts. > > Noel is referring to enforcing checking signatures, not signing them. > I've had a proposal out there for some time which anyone is free to > comment on: http://docs.codehaus.org/display/MAVEN/Repository+Security > > There hasn't been a lot of traction behind it so far. Ease of use, > especially OOTB, is probably one of the main concerns.
IMO this isn't really a maven issue: basic checks should be performed on all releases. i favour a private subversion repository with custom hooks for release publishing. - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
