15 Aug
2011
15 Aug
'11
5:19 p.m.
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this (I
have them locally already)
15 Aug
15 Aug
5:42 p.m.
On 08/15/2011 11:19 AM, Vincent Massol wrote:
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
PS2: When's the release user ready on one of the new agents?
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
5:50 p.m.
On Aug 15, 2011, at 5:42 PM, Sergiu Dumitriu wrote:
When someone creates it I guess. You could request that on the infra@ list.
Thanks
-Vincent
On 08/15/2011 11:19 AM, Vincent Massol wrote:
IMO every release manager should use his own key for better tracability.
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
PS2: When's the release user ready on one of the new agents? 
6:14 p.m.
On 15.08.2011 17:50, Vincent Massol wrote:
When someone creates it I guess. You could request that on the infra@ list.
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On Aug 15, 2011, at 5:42 PM, Sergiu Dumitriu wrote:
+1
Alex
On 08/15/2011 11:19 AM, Vincent Massol wrote:
IMO every release manager should use his own key for better tracability.
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
PS2: When's the release user ready on one of the new agents? 
6:49 p.m.
+1
On Mon, Aug 15, 2011 at 5:50 PM, Vincent Massol <vincent(a)massol.net> wrote:
On Aug 15, 2011, at 5:42 PM, Sergiu Dumitriu wrote:
When someone creates it I guess. You could request that on the infra@ list.
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne
On 08/15/2011 11:19 AM, Vincent Massol wrote:
IMO every release manager should use his own key for better tracability.
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
PS2: When's the release user ready on one of the new agents? 
6:04 p.m.
On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
On 08/15/2011 11:19 AM, Vincent Massol wrote:
+1
I really don't like the "one key on the release box" idea.
IMO each release manager should sign with their key which ofc never leaves their own
computer.
Caleb
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
PS2: When's the release user ready on one of the new agents?
16 Aug
16 Aug
4:21 p.m.
Hi,
+1 for every release manager to have his own key.
Though I think that there should be an "XWiki.org" key that is kept
only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is
also trusted by XWiki.org.
-Fabio
On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On 08/15/2011 11:19 AM, Vincent Massol wrote:
+1
I really don't like the "one key on the release box" idea.
IMO each release manager should sign with their key which ofc never leaves their own
computer.
Caleb
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
PS2: When's the release user ready on one of the new agents?
4:31 p.m.
On 08/16/2011 10:21 AM, Fabio Mancinelli wrote:
Hi,
+1 for every release manager to have his own key.
Though I think that there should be an "XWiki.org" key that is kept
only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is
also trusted by XWiki.org.
Yes, that's what I was thinking as well last night. And the XWiki.org
master key should be signed by a trusted authority.
-Fabio
On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
>
>
> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
>> On 08/15/2011 11:19 AM, Vincent Massol wrote:
>>> Hi,
>>>
>>> I think we should start signing our artifacts using PGP as explained here:
>>>
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
>>>
>>> Here's my +1
>>
>> +1.
>>
>> Do we use only one key, installed on the release machine? It should be
>> protected by a strong passphrase.
>
> +1
> I really don't like the "one key on the release box" idea.
> IMO each release manager should sign with their key which ofc never leaves their own
computer.
>
> Caleb
>
>>
>>>
>>> Thanks
>>> -Vincent
>>>
>>> PS: I we agree I can commit the changes required to our top level POM to
implement this (I have them locally already)
>>
>> PS2: When's the release user ready on one of the new agents?
>>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
6:25 p.m.
On Tue, Aug 16, 2011 at 5:31 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
On 08/16/2011 10:21 AM, Fabio Mancinelli wrote:
+1
Thanks,
Marius
Hi,
+1 for every release manager to have his own key.
Though I think that there should be an "XWiki.org" key that is kept
only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is
also trusted by XWiki.org.
Yes, that's what I was thinking as well last night. And the XWiki.org
master key should be signed by a trusted authority. -Fabio
On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
>
>
> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
>> On 08/15/2011 11:19 AM, Vincent Massol wrote:
>>> Hi,
>>>
>>> I think we should start signing our artifacts using PGP as explained here:
>>>
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
>>>
>>> Here's my +1
>>
>> +1.
>>
>> Do we use only one key, installed on the release machine? It should be
>> protected by a strong passphrase.
>
> +1
> I really don't like the "one key on the release box" idea.
> IMO each release manager should sign with their key which ofc never leaves their own
computer.
>
> Caleb
>
>>
>>>
>>> Thanks
>>> -Vincent
>>>
>>> PS: I we agree I can commit the changes required to our top level POM to
implement this (I have them locally already)
>>
>> PS2: When's the release user ready on one of the new agents?
>>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
18 Aug
18 Aug
11:20 a.m.
On Tue, Aug 16, 2011 at 16:31, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
--
Denis Gervalle
SOFTEC sa - CEO
eGuilde sarl - CTO
On 08/16/2011 10:21 AM, Fabio Mancinelli wrote:
+1
Denis
Hi,
+1 for every release manager to have his own key.
Though I think that there should be an "XWiki.org" key that is kept
only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is
also trusted by XWiki.org.
Yes, that's what I was thinking as well last night. And the XWiki.org
master key should be signed by a trusted authority.
-Fabio
On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
<calebdelisle(a)lavabit.com> wrote:
>
>
> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
>> On 08/15/2011 11:19 AM, Vincent Massol wrote:
>>> Hi,
>>>
>>> I think we should start signing our artifacts using PGP as explained
here:
>>>
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
>>>
>>>> Here's my
+1
>>>
>>> +1.
>>>
>>> Do we use only one key, installed on the release machine? It should be
>>> protected by a strong passphrase.
>>
>> +1
>> I really don't like the "one key on the release box" idea.
>> IMO each release manager should sign with their key which ofc never
leaves their own computer.
>>
>> Caleb
>>
>>>
>>>
>>>> Thanks
>>>> -Vincent
>>>
>>>> PS: I we
agree I can commit the changes required to our top level POM
to implement this (I have them locally already)
>>
>> PS2: When's the release user ready on one of the new agents?
>>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
22 Aug
22 Aug
6:30 p.m.
On 08/15/2011 12:04 PM, Caleb James DeLisle wrote:
On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
The problem with this is that the GPG signing is supposed to happen
during mvn release:perform, which happens on the agent machine.
There are two options:
- temporarily install the personal private key on the server
- release from the local computer
Is there a way to tunnel the GPG signing to the local computer?
On 08/15/2011 11:19 AM, Vincent Massol wrote:
+1
I really don't like the "one key on the release box" idea.
IMO each release manager should sign with their key which ofc never leaves their own
computer.
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
>
>>
>> Thanks
>> -Vincent
>>
>> PS: I we agree I can commit the changes required to our top level POM to
implement this (I have them locally already)
>
> PS2: When's the release user ready on one of the new agents?
>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
23 Aug
23 Aug
2:18 a.m.
On Mon, Aug 22, 2011 at 12:30 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
On 08/15/2011 12:04 PM, Caleb James DeLisle wrote:
Found this:
http://lists.gnupg.org/pipermail/gnupg-users/2010-July/039112.html
On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
The problem with this is that the GPG signing is supposed to happen during
mvn release:perform, which happens on the agent machine.
There are two options:
- temporarily install the personal private key on the server
- release from the local computer
Is there a way to tunnel the GPG signing to the local computer?
On 08/15/2011 11:19 AM, Vincent Massol wrote:
+1
I really don't like the "one key on the release box" idea.
IMO each release manager should sign with their key which ofc never leaves
their own computer.
Hi,
I think we should start signing our artifacts using PGP as explained
here:
https://docs.sonatype.org/**display/Repository/How+To+**
Generate+PGP+Signatures+With+**Maven<https://docs.sonatype.org/display/R…
Here's my +1
+1.
Do we use only one key, installed on the release machine? It should be
protected by a strong passphrase.
>
>> Thanks
>> -Vincent
>>
>> PS: I we agree I can commit the changes required to our top level POM to
>> implement this (I have them locally already)
>>
>
> PS2: When's the release user ready on one of the new agents?
>
>
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
15 Aug
15 Aug
6:53 p.m.
Note that I forgot to mention it but signing artifacts is a preprequisites for being able
to push xwiki artifacts to Maven Central too.
Thanks
-Vincent
On Aug 15, 2011, at 5:19 PM, Vincent Massol wrote:
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
9:32 p.m.
On Mon, Aug 15, 2011 at 5:19 PM, Vincent Massol <vincent(a)massol.net> wrote:
Hi,
I think we should start signing our artifacts using PGP as explained here:
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures…
Here's my +1
+1
Jerome
Thanks
-Vincent
PS: I we agree I can commit the changes required to our top level POM to implement this
(I have them locally already)
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
4773
days inactive
4781
days old
13 comments
9 participants
participants (9)
-
Alex Busenius -
Caleb James DeLisle -
Denis Gervalle -
Fabio Mancinelli -
Jerome Velociter -
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne -
Vincent Massol