You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Anders Hammar <an...@hammar.net> on 2010/03/12 13:31:16 UTC
Missing signatures for the wagon 1.0-beta-2 artifacts
While implementing a Maven environment for a customer where the signatures
for used Apache artifacts are verified, I've stumbled upon the fact that the
artifacts of wagon 1.0-beta-2 aren't signed. As all other versions (1.0
alphas and betas) have signatures, I'm confused. Does anyone know 1.0-beta-2
wasn't signed?
Unfortunately, very many plugins (most?) have a dependency to Maven 2.0.x
which depends on this specific version of wagon. This causes an issue as it
can't be verified. Could this be solved somehow so that we can have
dependencies to signed artifacts?
/Anders
Re: Missing signatures for the wagon 1.0-beta-2 artifacts
Posted by Brett Porter <br...@apache.org>.
On 17/03/2010, at 1:45 AM, Anders Hammar wrote:
> To carry on my own thread, would it be possible to bump the dependency to
> the maven artifact to version 2.1 or later (for all apache plugins)?
> Another solution could be to add dependency management to change the
> transitive dependency to wagon to a version with a signature (1.0-beta-3 or
> whatever). This could be added to the maven-plugins parent pom.
This might not necessarily play well with Maven 2.0.x users.
>
> Anyone else that thinks that this dependency in the plugins to Apache
> artifacts that aren't signed, is an issue?
It's disappointing that they weren't signed and that we still depend on them, but if this concerns you I think your best course of action is to rebuild them from source so that you know exactly what you are getting and use them internally.
- Brett
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Missing signatures for the wagon 1.0-beta-2 artifacts
Posted by Anders Hammar <an...@hammar.net>.
To carry on my own thread, would it be possible to bump the dependency to
the maven artifact to version 2.1 or later (for all apache plugins)?
Another solution could be to add dependency management to change the
transitive dependency to wagon to a version with a signature (1.0-beta-3 or
whatever). This could be added to the maven-plugins parent pom.
Anyone else that thinks that this dependency in the plugins to Apache
artifacts that aren't signed, is an issue?
/Anders
On Fri, Mar 12, 2010 at 13:31, Anders Hammar <an...@hammar.net> wrote:
> While implementing a Maven environment for a customer where the signatures
> for used Apache artifacts are verified, I've stumbled upon the fact that the
> artifacts of wagon 1.0-beta-2 aren't signed. As all other versions (1.0
> alphas and betas) have signatures, I'm confused. Does anyone know 1.0-beta-2
> wasn't signed?
>
> Unfortunately, very many plugins (most?) have a dependency to Maven 2.0.x
> which depends on this specific version of wagon. This causes an issue as it
> can't be verified. Could this be solved somehow so that we can have
> dependencies to signed artifacts?
>
> /Anders
>
>