Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Announcements of releases / signatures / location

> First off, I'll double check the announcements, I could have sworn those had
> gone out so my apologies.

If they did, they didn't make the announce archive, so that's probably just oversight and understandable, I know release work involves a lot of details.

> As for the download.eclipse.org <http://download.eclipse.org>  site, Maven
> Central has always been the canonical durable repository for Jetty.

Ok, good to know.

> Now a KEYS file in our github repository is not a bad idea at all, I recently
> updated my keys and validated that we hadn't been dinged by that short id
> collision attack from a while back.  I'll create that KEYS file now on the 9.3.x
> branch and merge it forward.

Thanks, that's really appreciated. One of our developers noted the latest Maven Central artifacts had a signature from an apache.org email and that raised some questions, ultimately it's just getting the list of keys to trust posted so we can verify the artifacts.

Again, thanks for the attention and a great product.

-- Scott


Back to the top