Re: [tycho-user] Signing jars and P2

[Jason van Zyl <jason@xxxxxxxxx>]

On Sep 3, 2011, at 1:01 PM, Benson Margulies wrote:

What are you talking about? Do you even know how it works at Eclipse?

The signing of artifacts that go out as official releases at Eclipse must

pass through a highly secured machine for signing, and it's the only

mechanism by which something can be signed.

Jason,

I knew that, Igor knows that, and it poses a problem for Tycho builds
-- according to Igor, who knows much more about it than I do.

Meanwhile, over at ASF infrastructure, there is a discussion going on
about how to sign official *Apache* releases. The goal is to have just
as much control as Eclipse.org has, but still allow a maven plugin to
do the signing via a web service in the midst of a build, which is
what is required to work with Tycho.

I perceived a tiny bit of humor in the possibility that we might end
up in a situation in which it is less cumbersome to make a
fully-signed release of an Eclipse plugin with Tycho at Apache than at
Eclipse. Emphasis on 'tiny'.

Is that clear?

When you actually explain, yes.

"It is beginning to look as if ASF may end up with a signing discipline

friendly to Tycho while Eclipse has none. Some might find this ironic."

This statement doesn't vaguely resemble your explanation above, or convey any understanding of how the process works at Eclipse.

--benson
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user

Thanks,

Jason

----------------------------------------------------------
Jason van Zyl
Founder,  Apache Maven
http://twitter.com/jvanzyl
---------------------------------------------------------

believe nothing, no matter where you read it,
or who has said it,
not even if i have said it,
unless it agrees with your own reason
and your own common sense.

 -- Buddha