Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] Is jar signing mandatory?

The EDP purposely avoids discussing any particular technology. You'll also notice no references to services that we consider to be "core" (Git repositories, issue trackers, dev lists, ...).

The notion of "core" services is supported by the principles (and the open source rules of engagement) that are described in the EDP. The handbook contains a list of those services that the EMO has determined to be core.

The handbook also says this about signing:

Where technically sensible, all downloadable artifacts should be signed by an Eclipse Foundation certificate.

It's not presented as a rule per se, so there's some wiggle room. We should probably harden this.

I don't think that there can be any controversy that a signed artifact must be signed by an EF certificate.

Less clear is how we interpret "technically sensible". My interpretation is that all release artifacts that can be signed, must be signed.

I believe that we can reasonably assert that it's okay for a project's incubation releases to be unsigned. I tend to consider signing to be a requirement for graduation (at the PMC's discretion, of course).


On Mon, Mar 16, 2020 at 1:45 PM Mickael Istria <mistria@xxxxxxxxxx> wrote:
Hi all,

I looked at EDP and couldn't find a reference to Jar signing.
So do I get it right that there is no requirement for artifacts to be signed for a release? More particularly, for a 1st release of an incubating project that just joined, is signing a real requirement or can it be added into a further release?

Thanks in advance.

Mickael Istria
Eclipse IDE developer, for Red Hat Developers
_______________________________________________ mailing list
To unsubscribe from this list, visit


Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Back to the top