[
http://jira.codehaus.org/browse/MEV-653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=218512#action_218512
]
Dennis Lundberg commented on MEV-653:
-------------------------------------
Before I proceed to upload new signatures I'd like some feedback on what you
think is OK to do.
Here are my findings for the artifacts mentioned in this issue.
*checksums*
All checksums are correct. The checksums for maven-2.0.6 root POM are in a
different format than all the others.
*maven 2.0.7*
Root POM has bad signature
POM in SVN identical to POM in Central
*maven 2.0.6*
Root POM has bad signature
POM in SVN identical to POM in Central
*maven 2.0.5*
All POMs have bad signatures
POMs in SVN differ from POMs in Central:
* license removed
* XML namespace removed
* elements are reordered
* <distributionManagement>/<status>deployed added
* ${project.*} properties in <distributionManagement>/<site>/<url> were expanded
* <version> added
*maven-archiver 2.2*
POM has bad signature
POM in SVN differ from POMs in Central:
* XML namespace removed
* elements are reordered
* <distributionManagement>/<status>deployed added
*Suggested Actions*
* maven-2.0.6 and maven-2.0.7 - create new sigs and upload them
* maven-archiver-2.2 - the changes are small and harmless, create new sigs and
upload them
* maven-2.0.5 - tricky because there are quite a lot of changes made
> Invalid signatures at central
> -----------------------------
>
> Key: MEV-653
> URL: http://jira.codehaus.org/browse/MEV-653
> Project: Maven Evangelism
> Issue Type: Bug
> Reporter: Anders Hammar
> Assignee: Dennis Lundberg
>
> The signatures for these poms are invalid. This causes issues when setting up
> environments that verify the signatures and is not good as all Apache
> artifacts is supposed to be signed as I understand it. This pom is used as a
> parent by some artifacts which many Maven plugins use. Here's an example:
> maven-compiler-plugin:2.1 depends on maven-toolchain:1.0 which has
> maven:2.0.6 as parent.
> I asked Jason van Zyl about this as it is (supposedly) he who signed and he
> says he lost that key and revoked it. Hence the signature should fail.
> However, the weird thing is that org.apache.maven:maven-script:2.0.6 was
> signed with the same key about the same time (part of the same release?) and
> that signature is reported ok.
> I'd happily work with you to solve this. There are possibly more artifacts
> with invalid signatures. However, I have to admit that I am no pgp expert.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
