[
http://jira.codehaus.org/browse/MEV-653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=214259#action_214259
]
Wendy Smoak commented on MEV-653:
---------------------------------
Thanks for volunteering to do this, Dennis. My thoughts:
3. I don't think a vote is necessary, we already voted on the artifacts and
you are not changing them
5. The .asc.md5 and .asc.sha1 files can be removed, they are not necessary.
If they can't easily be removed, then they'll need to be replaced so they match
the new .asc file
> Invalid signatures at central
> -----------------------------
>
> Key: MEV-653
> URL: http://jira.codehaus.org/browse/MEV-653
> Project: Maven Evangelism
> Issue Type: Bug
> Reporter: Anders Hammar
> Assignee: Dennis Lundberg
>
> The signatures for these poms are invalid. This causes issues when setting up
> environments that verify the signatures and is not good as all Apache
> artifacts is supposed to be signed as I understand it. This pom is used as a
> parent by some artifacts which many Maven plugins use. Here's an example:
> maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has
> maven:2.0.6 as parent.
> I asked Jason van Zyl about this as it is (supposedly) he who signed and he
> says he lost that key and revoked it. Hence the signature should fail.
> However, the weird thing is that org.apache.maven:maven-script:2.0.6 was
> signed with the same key about the same time (part of the same release?) and
> that signature is reported ok.
> I'd happily work with you to solve this. There are possibly more artifacts
> with invalid signatures. However, I have to admit that I am no pgp expert.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
