Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] Is jar signing mandatory?

I disagree as well.  I don't even feel all that comfortable that it's okay for an incubating project to release unsigned p2 artifacts.

I see the overall issue being a balance between the burden on the committers, who are required to take responsibility for all contributions, including those from non-committers, versus the high expectations of the consumers, who, granted, may well be a freetarded freeloader beneath our regard, or could well be another Eclipse project working just as hard.  This is clearly a very unbalanced scale with all the burden on one side and all the benefit on the other.  In the end though, as Mike suggests, Eclipse is a brand, and anything distributed under that brand reflects on everything distributed under that brand.  If a project does not care to deal with the all the restrictive rules and all the various onerous processes, perhaps that project would better be hosted where those are completely absent.  Of course we can all clearly see the direction that reasoning is headed: It's all a barrier and a cost.  So it's certainly not unreasonable to ask, why should I care?  But perhaps its better that as a group we focus on making it easier to conform to the restrictions and focus on streamlining the processes to make them less onerous.  It seems to me that the Foundation staff has helped tremendously in this regard, but they too are over burdened...

I certainly ask myself, why did I spend 5 months herding cats just so that the 2020-03 release has only valid licenses and only signed content? Who cares? Why do I care?

While on the topic of onerous processes, I often ask myself, who is the consumer of my release reviews?  Moreover, as a PMC lead, I often think, oh please, mercy, no, not other release review to approve...  Burden, burden, burden...|

On 17.03.2020 23:06, Mike Milinkovich wrote:
On 2020-03-17 5:54 p.m., Mickael Istria wrote:
2. this is not mandatory for projects, ie as long as no contributor in a project cares about such certificate of origin enough to contribute the build routine to produce them in the project, I see no point in making this mandatory to other project contributors.

I disagree, because the output from Eclipse projects is a reflection on all of us. If a major and public security kerfuffle occurred because of a project who decided that they did not want to sign a release artifact that could be signed, it would reflect badly on our entire community.


Mike Milinkovich

Executive Director | Eclipse Foundation, Inc.



+1.613.220.3223 (m)

_______________________________________________ mailing list
To unsubscribe from this list, visit

Back to the top