8:58 a.m.
Hi *,
I propose to add maven-gpg-plugin to the release profile, similarly as I
did for javadoc and sources in
https://github.com/hawkular/hawkular-parent-pom/commit/d54a8d03b4ef251d59...
A pom.xml snippet is in https://issues.jboss.org/browse/HAWKULAR-108
== Why?
Because Maven Central requires it [1]. Although apparently, they already
have accepted our unsigned artifacts already.
I would not let our CI to sign the SNAPSHOT releases.
== So what is the problem?
The team members doing releases would have to
* install native OS-level gpg software
* generate a key pair
* publish their public key
See [2]
Is the above acceptable?
Thanks,
Peter
[1]
http://maven.apache.org/guides/mini/guide-central-repository-upload.html#...
[2]
http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven
9:40 a.m.
Hello Peter,
Hawkular Metrics is the only project that has official pre 1.0 releases. For Hawkular
Metrics automated deployments of SNAPSHOTS and simple releases (by any Hawkular Metrics
member) are essential.
At this point, Hawkular Metrics will not consider adding pgp. The only way this would be
viable for Hawkular Metrics is with a release engineer permanently on staff that will
automate and maintain every single aspect of the pgp signing via CI tooling.
Thank you,
Stefan
----- Original Message -----
From: "Peter Palaga" <ppalaga(a)redhat.com>
To: hawkular-dev(a)lists.jboss.org
Sent: Monday, March 30, 2015 8:58:58 AM
Subject: [Hawkular-dev] Proposal: Add PGP artifact signing
Hi *,
I propose to add maven-gpg-plugin to the release profile, similarly as I
did for javadoc and sources in
https://github.com/hawkular/hawkular-parent-pom/commit/d54a8d03b4ef251d59...
A pom.xml snippet is in https://issues.jboss.org/browse/HAWKULAR-108
== Why?
Because Maven Central requires it [1]. Although apparently, they already
have accepted our unsigned artifacts already.
I would not let our CI to sign the SNAPSHOT releases.
== So what is the problem?
The team members doing releases would have to
* install native OS-level gpg software
* generate a key pair
* publish their public key
See [2]
Is the above acceptable?
Thanks,
Peter
[1]
http://maven.apache.org/guides/mini/guide-central-repository-upload.html#...
[2]
http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
3524
days inactive
3524
days old
1 comments
2 participants
participants (2)
-
Peter Palaga -
Stefan Negrea