|Re: [eclipse.org-architecture-council] Is jar signing mandatory?|
2. this is not mandatory for projects, ie as long as no contributor in a project cares about such certificate of origin enough to contribute the build routine to produce them in the project, I see no point in making this mandatory to other project contributors.
I disagree, because the output from Eclipse projects is a
reflection on all of us. If a major and public security kerfuffle
occurred because of a project who decided that they did not want
to sign a release artifact that could be signed, it would reflect
badly on our entire community.
Executive Director | Eclipse Foundation, Inc.
Back to the top