oVirt artifacts at maven repository
Juan Hernandez
jhernand at redhat.com
Thu Nov 22 08:48:33 UTC 2012
On 11/22/2012 08:15 AM, Alon Bar-Lev wrote:
>
> Hello,
>
> The otpoi and ovirt-host-deploy projects provides java artifacts so that ovirt-engine can be built using common constants and trivial parser.
>
> I would like to publish these artifacts at maven central to ease ovirt-engine build, as it will automatically fetch these dependencies just like every other dependency.
>
> In order to do so I need to sign the artifacts.
>
> Questions:
>
> Should we have unique key for each package?
> Should we have single key for all oVirt releases?
>
> The advantages of a key for each package is that the maintainer can release artifacts at will.
> The advantage of single key is that a single trust can be obtained.
>
> What do you think?
When I have verified artifacts from maven (not many times, to be honest)
I always found that they are signed by different individuals, even if
they are from related projects.
I would suggest that the release manager for each project signs the
artifact with her/his key, as sharing private keys between different
people can be a nightmare, and not very secure.
I would also suggest that release managers sing each other code signing
keys.
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
More information about the Arch
mailing list