[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [tycho-user] Signing jars and P2
|
To make sure I understand, what is going to talk to a remote webservice
for signing artifacts, currently released version of
maven-jarsigner-plugin [1], a future version of of maven-jarsigner
plugin or some other (yet to be written?) maven plugin?
And, to be clear, problems singing releases with Tycho are not specific
to Eclipse infra. These problems are caused by bad interaction of the
way maven lifeycle inheritance works and how we decided to manage p2
metadata during the build. You'll have exactly the same problem signing
releases at Apache or, in fact, anywhere else until we implement one of
the two solutions I mentioned earlier.
[1] http://maven.apache.org/plugins/maven-jarsigner-plugin/
--
Regards,
Igor
On 11-09-03 1:01 PM, Benson Margulies wrote:
What are you talking about? Do you even know how it works at Eclipse?
The signing of artifacts that go out as official releases at Eclipse must
pass through a highly secured machine for signing, and it's the only
mechanism by which something can be signed.
Jason,
I knew that, Igor knows that, and it poses a problem for Tycho builds
-- according to Igor, who knows much more about it than I do.
Meanwhile, over at ASF infrastructure, there is a discussion going on
about how to sign official *Apache* releases. The goal is to have just
as much control as Eclipse.org has, but still allow a maven plugin to
do the signing via a web service in the midst of a build, which is
what is required to work with Tycho.
I perceived a tiny bit of humor in the possibility that we might end
up in a situation in which it is less cumbersome to make a
fully-signed release of an Eclipse plugin with Tycho at Apache than at
Eclipse. Emphasis on 'tiny'.
Is that clear?
--benson
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/tycho-user
