Re: [orbit-dev] pack200:normalize cannot be called for signed jar

[Evgeny Mandrikov <mandrikov@xxxxxxxxx>]

On Thu, Nov 10, 2016 at 3:33 PM Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:

You're right, we should definitely keep it disabled. Is there any reason not
to do -Peclipse-sign -Dcbi.jarsigner.skip so at least the pack200 plugins
run, which should catch the additional issues without too large a processing
time.

Thinking about this more:

Signing indeed should be disabled and I apologize for opening of this security breach.

Just pack200 will catch more, but not everything as shown in this thread. So anyway better to use signing test server during preparation of repackaging of already signed artifacts. And I tend to think that such situation is rather an exception than rule.

Best regards,

Evgeny