|Re: [eclipse.org-architecture-council] Is jar signing mandatory?|
And it's good EDP considers it as such and doesn't mandate it.
_______________________________________________Your assumption that Maven Central gives strong guarantee is IMO inaccurate as we don't even have the guarantee with Maven that a jar comes from Maven Central or somewhere else, one can easily use a mirror or an alternative source as well. p2 has fingerprints as well in metadata and eclipse.org uses https by default nowadays AFAIK. The promotion process in Maven Central isn't much more rich, the only additional thing it can keep track of is more "who published this artifact, who did promote it" in its metadata, but an Eclipse.org project that uses Jenkins to handle those can also keep track of who did what.So IMO, there is no real reasons to trust Maven Central more or less than eclipse.org+p2, so there is no real reason to put more constraint on eclipse.org+p2 than on Maven Central artifacts.So JUnit was a bad example, but what about the other ones? I checked Spring, and artifacts are not signed either, and yet this framework powers a huge part of most Java applications. So that's IMO a counter-example that signing is necessary for adoption.I'm not saying that signing is bad, it's IMO the best way to have some certificate of authenticity indeed; my claim here is that the industry doesn't really need signing, it's a nice-to-have for adoption, not a must-have.And it's good EDP considers it as such and doesn't mandate it.
eclipse.org-architecture-council mailing list
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
Director of Open Source Projects | Eclipse Foundation, Inc.
Back to the top