Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Announcements of releases / signatures / location
Scott,

Thanks for the feedback!

First off, I'll double check the announcements, I could have sworn those had gone out so my apologies.

As for the download.eclipse.org site, Maven Central has always been the canonical durable repository for Jetty.  Our usage of the eclipse download page was a manual post release process and was ultimately nothing more then a waste of space so I did away with it for the distribution downloads when I converted the jetty website to asciidoc.  We keep some javadoc and xref files on there for releases but that is about it.  We try and keep our p2 repositories up to date but personally I am loathe to keep doing that since there isn't a centralized durable p2 repository to contribute to.

Now a KEYS file in our github repository is not a bad idea at all, I recently updated my keys and validated that we hadn't been dinged by that short id collision attack from a while back.  I'll create that KEYS file now on the 9.3.x branch and merge it forward.

cheers,
Jesse



--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx

On Mon, Nov 7, 2016 at 9:26 AM, Cantor, Scott <cantor.2@xxxxxxx> wrote:
I have a downstream project that packages Jetty and had some questions related to the fact that it appears the last two 9.3.x releases (13 and 14) have not been announced anywhere officially, the download site has apparently been supplanted by Maven Central, and the absence of any explicit list of PGP signing keys known to be authoritative for the artifacts.

Could somebody from the project speak to this? At minimum, a published KEYS file would really go a long way to providing some confidence. If one exists, my apologies for being unaware of it.

The lack of announcements of the latest patches is particularly strange, certainly.

Consider this just a constructive request to formalize things a bit, as it's a big deal for downstream projects that have security requirements because of their nature.

-- Scott

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev

Back to the top