I thought this thread started with the idea : if maven would be able to validate signature, we could use this feature to inform someone that he is using incubator artefacts. I thought the idea that launched this thread was to have a unique key for the incubator that the user has as to trust if he want to use incubator artefacts.
My question was in that context. 2008/6/2 Noel J. Bergman <[EMAIL PROTECTED]>: > Gilles Scokart wrote: > >> Noel J. Bergman: >> > Implement that, and we're fine. We will >> > require Incubator artifacts to be signed by a designated key available > to >> > the PMC, and once a user has acknowledged that they accept such > Incubator >> > signed artifacts, maven can do what it wants with them. >> >> --- Noel > >> Is that really possible? > > Very. > >> I remember some discussion on the infra list about an ASF wide signature. >> And the conclusion was always the same: how to secure a key that can be >> used by so many people. If I remember well, some solution were proposed, >> but they were quiet heavy. Do we have a solution for that? > > There are various things that can be done with respect to key management. > Personally, I would not go with a single key. But maven ought to maintain a > trust file, with options to accept files that are signed with a trusted key, > or signed by a key that is signed by a trusted key, etc. The first thing > that has to happen is for the Maven PMC to make security a priority. > > --- Noel > -- Gilles Scokart --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
