[xwiki-devs] [VOTE] Sign our Maven artifacts using GPG

Sergiu Dumitriu sergiu at xwiki.com
Tue Aug 16 14:31:25 UTC 2011


On 08/16/2011 10:21 AM, Fabio Mancinelli wrote:
> Hi,
>
> +1 for every release manager to have his own key.
> Though I think that there should be an "XWiki.org" key that is kept
> only by one person and that is used to sign the release managers keys.
>
> In this way artifacts will be marked as released by somebody that is
> also trusted by XWiki.org.

Yes, that's what I was thinking as well last night. And the XWiki.org 
master key should be signed by a trusted authority.

> -Fabio
>
> On Mon, Aug 15, 2011 at 6:04 PM, Caleb James DeLisle
> <calebdelisle at lavabit.com>  wrote:
>>
>>
>> On 08/15/2011 11:42 AM, Sergiu Dumitriu wrote:
>>> On 08/15/2011 11:19 AM, Vincent Massol wrote:
>>>> Hi,
>>>>
>>>> I think we should start signing our artifacts using PGP as explained here:
>>>> https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven
>>>>
>>>> Here's my +1
>>>
>>> +1.
>>>
>>> Do we use only one key, installed on the release machine? It should be
>>> protected by a strong passphrase.
>>
>> +1
>> I really don't like the "one key on the release box" idea.
>> IMO each release manager should sign with their key which ofc never leaves their own computer.
>>
>> Caleb
>>
>>>
>>>>
>>>> Thanks
>>>> -Vincent
>>>>
>>>> PS: I we agree I can commit the changes required to our top level POM to implement this (I have them locally already)
>>>
>>> PS2: When's the release user ready on one of the new agents?
>>>


-- 
Sergiu Dumitriu
http://purl.org/net/sergiu/



More information about the devs mailing list