oVirt artifacts at maven repository

[Alon Bar-Lev]

----- Original Message -----
> From: "Juan Hernandez" <jhernand at redhat.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "arch" <arch at ovirt.org>
> Sent: Thursday, November 22, 2012 10:48:33 AM
> Subject: Re: oVirt artifacts at maven repository
> 
> On 11/22/2012 08:15 AM, Alon Bar-Lev wrote:
> > 
> > Hello,
> > 
> > The otpoi and ovirt-host-deploy projects provides java artifacts so
> > that ovirt-engine can be built using common constants and trivial
> > parser.
> > 
> > I would like to publish these artifacts at maven central to ease
> > ovirt-engine build, as it will automatically fetch these
> > dependencies just like every other dependency.
> > 
> > In order to do so I need to sign the artifacts.
> > 
> > Questions:
> > 
> > Should we have unique key for each package?
> > Should we have single key for all oVirt releases?
> > 
> > The advantages of a key for each package is that the maintainer can
> > release artifacts at will.
> > The advantage of single key is that a single trust can be obtained.
> > 
> > What do you think?
> 
> When I have verified artifacts from maven (not many times, to be
> honest)
> I always found that they are signed by different individuals, even if
> they are from related projects.
> 
> I would suggest that the release manager for each project signs the
> artifact with her/his key, as sharing private keys between different
> people can be a nightmare, and not very secure.
> 
> I would also suggest that release managers sing each other code
> signing
> keys.

Thank you,

I don't think sharing a release key is a nightmare, as publishing artifacts or creating release is usually the role of 1-2 people.

I don't like using personal keys on outputs as people come and go, and it is very hard to match between the personal key and authorized signer.

I prefer single release key per release artifact (sub-project).

Regards,
Alon