Le 22/03/2013 08:53, Thomas Koch a écrit : > thank you for offering your help. As I wrote, it would be very helpful, if > somebody (you) could start to lobby for sane artifact signing on Apache > Conferences and on mailing lists. > > It doesn't make sense to sign release artifacts with GPG keys as long as those > keys don't have any signature that would link them to the web-of-trust. > > So you could start to run key signing parties on Apache events or with your > team mates. Good point, at least for the Apache Commons project there aren't many keys signed (and mine isn't signed either): http://www.apache.org/dist/commons/KEYS Signing parties already take place at Apache conferences, but not every committer has the opportunity to attend these events. http://wiki.apache.org/apachecon/PgpKeySigning > Second thing is with source tarballs or Git repos. For building a Debian > package we need a source tarball that does not contain any non-free or binary > artifacts. The typical ant project has a lib/ folder containing jars. We need > to repackage and get rid of the lib/ folder. So it's generally a good thing if > projects move to maven or use at least ivy. Almost all Apache Commons components are based on Maven now and the source archives don't ship with the libs. I'll keep that in mind when I work with other Apache projects. Emmanuel Bourg
Attachment:
smime.p7s
Description: Signature cryptographique S/MIME