On 7/23/08, Jason van Zyl <[EMAIL PROTECTED]> wrote:
>
> On 22-Jul-08, at 8:55 PM, Brett Porter wrote:
>
>>
>> On 23/07/2008, at 4:23 AM, Robert Burrell Donkin wrote:
>>
>>> On Fri, Jul 11, 2008 at 5:42 PM, Brett Porter <[EMAIL PROTECTED]>
>>> wrote:
Hi,
I've wanted to pick up my wor
I personally wouldn't feel comfortable with Maven auto-fetching keys,
unless it's working in a web-of-trust mode. How would I verify that the
keys were any good otherwise? It's pretty likely that any compromise
that allowed some one to place a rogue artifact could also add their key
in to the
On 7/23/08, Jason van Zyl <[EMAIL PROTECTED]> wrote:
>
> On 22-Jul-08, at 8:55 PM, Brett Porter wrote:
>
>>
>> On 23/07/2008, at 4:23 AM, Robert Burrell Donkin wrote:
>>
>>> On Fri, Jul 11, 2008 at 5:42 PM, Brett Porter <[EMAIL PROTECTED]>
>>> wrote:
Hi,
I've wanted to pick up my wor
On 7/23/08, Brett Porter <[EMAIL PROTECTED]> wrote:
>
> On 23/07/2008, at 4:23 AM, Robert Burrell Donkin wrote:
>
>> On Fri, Jul 11, 2008 at 5:42 PM, Brett Porter <[EMAIL PROTECTED]>
>> wrote:
>>> Hi,
>>>
>>> I've wanted to pick up my work on this for some time and was
>>> prodded by the
>>> [EMAIL
On 22-Jul-08, at 8:55 PM, Brett Porter wrote:
On 23/07/2008, at 4:23 AM, Robert Burrell Donkin wrote:
On Fri, Jul 11, 2008 at 5:42 PM, Brett Porter <[EMAIL PROTECTED]>
wrote:
Hi,
I've wanted to pick up my work on this for some time and was
prodded by the
[EMAIL PROTECTED] threads to ta
On 23/07/2008, at 4:23 AM, Robert Burrell Donkin wrote:
On Fri, Jul 11, 2008 at 5:42 PM, Brett Porter <[EMAIL PROTECTED]>
wrote:
Hi,
I've wanted to pick up my work on this for some time and was
prodded by the
[EMAIL PROTECTED] threads to take another crack at this.
http://docs.codehaus.o
On Fri, Jul 11, 2008 at 5:42 PM, Brett Porter <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I've wanted to pick up my work on this for some time and was prodded by the
> [EMAIL PROTECTED] threads to take another crack at this.
>
> http://docs.codehaus.org/display/MAVEN/Repository+Security (the issue and
> r
On 17-Jul-08, at 3:35 AM, Brett Porter wrote:
I've checked in my work so far on this. It's a pretty small and
straightforward set of changes and it works for a project using
signed artifacts and plugins. Of course, it gets very unhappy about
the distinct lack of signatures in central on mo
I've checked in my work so far on this. It's a pretty small and
straightforward set of changes and it works for a project using signed
artifacts and plugins. Of course, it gets very unhappy about the
distinct lack of signatures in central on most projects.
I am going to look at creating a s
I see where you were coming from with the lifecycle now.
Do you also need to veryify them as part of the build process, or only
out of the repository itself?
Cheers,
Brett
On 12/07/2008, at 8:28 AM, Christian Edward Gruber wrote:
Nope. I'd have to check, but they're signatures which are th
On 12/07/2008, at 3:11 AM, David Jencks wrote:
On Jul 11, 2008, at 9:42 AM, Brett Porter wrote:
Hi,
I've wanted to pick up my work on this for some time and was
prodded by the [EMAIL PROTECTED] threads to take another crack at
this.
http://docs.codehaus.org/display/MAVEN/Repository+Se
ruber [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2008 1:24 PM
To: Maven Developers List
Subject: Re: artifact signing feature branches
Incidentally, I presume that there is a provider for PGP that could be
replaced by an alternate signing system if a provider were written for
it? I didn
Christian, what kind of files are produced with the sig? Are they still
.asc?
-Original Message-
From: Christian Edward Gruber [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2008 1:24 PM
To: Maven Developers List
Subject: Re: artifact signing feature branches
Incidentally, I presume
Incidentally, I presume that there is a provider for PGP that could be
replaced by an alternate signing system if a provider were written for
it? I didn't see it in the wiki, but I have a client with an industry-
imposed signing regime that I don't think is based in PGP or md5/shaXXX.
Chris
On Jul 11, 2008, at 9:42 AM, Brett Porter wrote:
Hi,
I've wanted to pick up my work on this for some time and was prodded
by the [EMAIL PROTECTED] threads to take another crack at this.
http://docs.codehaus.org/display/MAVEN/Repository+Security (the
issue and related branches are linked)
Fair enough, though I think pre and post implicit phases for many of
the "normal" phases isn't bloat, since it's a regular pattern.
Having said that, one is free to design a custom lifecycle for a
custom type, so I guess it's not that big a deal, and there's
deterministic order of execution
The current signing mechanism actually works quite well and I had no
intention of changing that at this stage. I haven't seen any issues
with this, and adding such fine grained lifecycle stages would soon
get out of control (and frequent arguments as to the correct order).
If it were to be
Can I suggest that a phase in the default lifecycle be added after
packaging for signing (somewhere). It can have no default binding
plugin (such as integration-test) but if it's there, it's easier to
hook in things at the correct time.
Or a pre-package and post-package phase which would a
Hi,
I've wanted to pick up my work on this for some time and was prodded
by the [EMAIL PROTECTED] threads to take another crack at this.
http://docs.codehaus.org/display/MAVEN/Repository+Security (the issue
and related branches are linked)
I've created a couple of branches to try integrat
19 matches
Mail list logo
