Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] pack200:normalize cannot be called for signed jar 
> I would be extremely careful in that case. Usually my advice is *not* to
> enable signing on any Gerrit verification job, and I explicitly disable
> this in all my own job definitions.
> 
> Those builds are triggered by Gerrit, and everyone with push permissions to
> Gerrit (easy to achieve) can push and trigger new builds with unchecked
> content from the Gerrit change. Those builds are creating build artifacts
> that are signed with an Eclipse Foundation certificate then, and in my
> opinion it is not advisable to open that to nearly everyone. Just my
> thoughts.


You're right, we should definitely keep it disabled. Is there any reason not
to do -Peclipse-sign -Dcbi.jarsigner.skip so at least the pack200 plugins
run, which should catch the additional issues without too large a processing
time.

Cheers,
-- 
Roland Grunberg

Back to the top