[Hawkular-dev] Proposal: Add PGP artifact signing
Stefan Negrea
snegrea at redhat.com
Mon Mar 30 10:40:22 EDT 2015
Hello Peter,
Hawkular Metrics is the only project that has official pre 1.0 releases. For Hawkular Metrics automated deployments of SNAPSHOTS and simple releases (by any Hawkular Metrics member) are essential.
At this point, Hawkular Metrics will not consider adding pgp. The only way this would be viable for Hawkular Metrics is with a release engineer permanently on staff that will automate and maintain every single aspect of the pgp signing via CI tooling.
Thank you,
Stefan
----- Original Message -----
> From: "Peter Palaga" <ppalaga at redhat.com>
> To: hawkular-dev at lists.jboss.org
> Sent: Monday, March 30, 2015 8:58:58 AM
> Subject: [Hawkular-dev] Proposal: Add PGP artifact signing
>
> Hi *,
>
> I propose to add maven-gpg-plugin to the release profile, similarly as I
> did for javadoc and sources in
> https://github.com/hawkular/hawkular-parent-pom/commit/d54a8d03b4ef251d594f1cc4ff3fadfa4a1d4dd3#diff-600376dffeb79835ede4a0b285078036R630
>
> A pom.xml snippet is in https://issues.jboss.org/browse/HAWKULAR-108
>
>
> == Why?
>
> Because Maven Central requires it [1]. Although apparently, they already
> have accepted our unsigned artifacts already.
>
> I would not let our CI to sign the SNAPSHOT releases.
>
>
> == So what is the problem?
>
> The team members doing releases would have to
> * install native OS-level gpg software
> * generate a key pair
> * publish their public key
> See [2]
>
> Is the above acceptable?
>
> Thanks,
>
> Peter
>
> [1]
> http://maven.apache.org/guides/mini/guide-central-repository-upload.html#PGP_Signature
> [2]
> http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
More information about the hawkular-dev
mailing list