On Thu, May 19, 2016 at 2:43 AM Stian Soiland-Reyes
wrote:
> In principle +1, a PGP signature based on sha1 is not cryptographically
> strong.
>
> Obviously blindly checking a PGP signature, even after importing the KEYS
> from https://www.apache.org/dist, that is also not any proof you got the
>
+0 on my side. Seems a good thing, but I may not master all the aspects.
Martin
Le 18/05/16 à 13:45, Christopher a écrit :
> Hi all,
>
> I'm not sure a better list to get feedback on, but I wanted to bring
> attention to the proposal here:
> https://issues.apache.org/jira/browse/MPOM-118
>
>
+1
On Wed, May 18, 2016 at 7:45 PM, Christopher wrote:
> Hi all,
>
> I'm not sure a better list to get feedback on, but I wanted to bring
> attention to the proposal here:
> https://issues.apache.org/jira/browse/MPOM-118
>
> Essentially this is a suggestion to configure the maven-gpg-plugin to s
In principle +1, a PGP signature based on sha1 is not cryptographically
strong.
Obviously blindly checking a PGP signature, even after importing the KEYS
from https://www.apache.org/dist, that is also not any proof you got the
intended release, just an artifact by someone who previously signed som
Yes, that is correct. I'm referring to the ASF-wide parent pom.
If I understand the situation correctly, releases of that POM are managed
by the Maven PMC, but because of it's utility throughout the ASF, Hervé
Boutemy had commented on MPOM-118 that it should be brought to the
attention of a larger
Whoops. Sorry about that.
Greg
> On May 18, 2016, at 2:50 PM, Benson Margulies wrote:
>
> Greg, the proposal is for the _Default ASF POM_ to be set up so that
> _all_ projects would use SHA-512. This is not a question for the Maven
> PMC.
>
> On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk wrot
On 18/05/16 18:58, Greg Trasuk wrote:
Hi Christopher:
Thanks for your involvement. Apache Maven is one of many projects at the
Apache Software Foundation. Each project has its own mailing lists. So your
discussion should probably go to d...@maven.apache.org, which I’ve cc’d on this
respon
Greg, the proposal is for the _Default ASF POM_ to be set up so that
_all_ projects would use SHA-512. This is not a question for the Maven
PMC.
On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk wrote:
>
> Hi Christopher:
>
> Thanks for your involvement. Apache Maven is one of many projects at the
>
Hi Christopher:
Thanks for your involvement. Apache Maven is one of many projects at the
Apache Software Foundation. Each project has its own mailing lists. So your
discussion should probably go to d...@maven.apache.org, which I’ve cc’d on this
response. If you’re not subscribed to that li
Hi all,
I'm not sure a better list to get feedback on, but I wanted to bring
attention to the proposal here:
https://issues.apache.org/jira/browse/MPOM-118
Essentially this is a suggestion to configure the maven-gpg-plugin to sign
using SHA512 as its digest algorithm in the ASF Parent POM, used b
10 matches
Mail list logo
