[xwiki-devs] [VOTE] Sign our Maven artifacts using GPG
Fabio Mancinelli
fabio.mancinelli at xwiki.com
Tue Aug 16 14:21:47 UTC 2011
Hi,
+1 for every release manager to have his own key.
Though I think that there should be an "XWiki.org" key that is kept
only by one person and that is used to sign the release managers keys.
In this way artifacts will be marked as released by somebody that is
also trusted by XWiki.org.
-Fabio
On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
<calebdelisle at lavabit.com> wrote:
>
>
> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
>> On 08/15/2011 11:19 AM, Vincent Massol wrote:
>>> Hi,
>>>
>>> I think we should start signing our artifacts using PGP as explained here:
>>> https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven
>>>
>>> Here's my +1
>>
>> +1.
>>
>> Do we use only one key, installed on the release machine? It should be
>> protected by a strong passphrase.
>
> +1
> I really don't like the "one key on the release box" idea.
> IMO each release manager should sign with their key which ofc never leaves their own computer.
>
> Caleb
>
>>
>>>
>>> Thanks
>>> -Vincent
>>>
>>> PS: I we agree I can commit the changes required to our top level POM to implement this (I have them locally already)
>>
>> PS2: When's the release user ready on one of the new agents?
>>
>
> _______________________________________________
> devs mailing list
> devs at xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs
>
More information about the devs
mailing list