The EDP purposely avoids discussing any particular technology. You'll also notice no references to services that we consider to be "core" (Git repositories, issue trackers, dev lists, ...).
The notion of "core" services is supported by the principles (and the open source rules of engagement) that are described in the EDP. The
handbook contains a list of those services that the EMO has determined to be core.
The
handbook also says this about signing:
Where technically sensible, all downloadable artifacts should be
signed by an Eclipse Foundation certificate.
It's not presented as a rule per se, so there's some wiggle room. We should probably harden this.
I don't think that there can be any controversy that a signed artifact must be signed by an EF certificate.
Less clear is how we interpret "technically sensible". My interpretation is that all release artifacts that can be signed, must be signed.
I believe that we can reasonably assert that it's okay for a project's incubation releases to be unsigned. I tend to consider signing to be a requirement for graduation (at the PMC's discretion, of course).
Wayne