Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-architecture-council] Is jar signing mandatory?

+1!

Dani



From:        Mike Milinkovich <mike.milinkovich@xxxxxxxxxxxxxxxxxxxxxx>
To:        eclipse.org-architecture-council@xxxxxxxxxxx
Date:        17.03.2020 23:07
Subject:        [EXTERNAL] Re: [eclipse.org-architecture-council] Is jar signing mandatory?
Sent by:        eclipse.org-architecture-council-bounces@xxxxxxxxxxx




On 2020-03-17 5:54 p.m., Mickael Istria wrote:
2. this is not mandatory for projects, ie as long as no contributor in a project cares about such certificate of origin enough to contribute the build routine to produce them in the project, I see no point in making this mandatory to other project contributors.
I disagree, because the output from Eclipse projects is a reflection on all of us. If a major and public security kerfuffle occurred because of a project who decided that they did not want to sign a release artifact that could be signed, it would reflect badly on our entire community.
--

Mike Milinkovich

Executive Director | Eclipse Foundation, Inc.

mike.milinkovich@xxxxxxxxxxxxxxxxxxxxxx

@mmilinkov

+1.613.220.3223 (m)_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council



Back to the top