Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Is jar signing mandatory?

On 2020-03-17 5:54 p.m., Mickael Istria wrote:
2. this is not mandatory for projects, ie as long as no contributor in a project cares about such certificate of origin enough to contribute the build routine to produce them in the project, I see no point in making this mandatory to other project contributors.

I disagree, because the output from Eclipse projects is a reflection on all of us. If a major and public security kerfuffle occurred because of a project who decided that they did not want to sign a release artifact that could be signed, it would reflect badly on our entire community.

--

Mike Milinkovich

Executive Director | Eclipse Foundation, Inc.

mike.milinkovich@xxxxxxxxxxxxxxxxxxxxxx

@mmilinkov

+1.613.220.3223 (m)


Back to the top