Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] Is jar signing mandatory?

And it's good EDP considers it as such and doesn't mandate it.

The EDP doesn't mandate the use of any particular technology or service for anything.

I'll reiterate that my (and the EMO's) interpretation is that all release artifacts that can be signed, must be signed.

While in the incubation phase, a project is learning how to be an Eclipse Project. Many invalid intermediate states are acceptable, including not getting around to signing just yet.


On Wed, Mar 18, 2020 at 5:44 AM Mickael Istria <mistria@xxxxxxxxxx> wrote:
Your assumption that Maven Central gives strong guarantee is IMO inaccurate as we don't even have the guarantee with Maven that a jar comes from Maven Central or somewhere else, one can easily use a mirror or an alternative source as well. p2 has fingerprints as well in metadata and uses https by default nowadays AFAIK. The promotion process in Maven Central isn't much more rich, the only additional thing it can keep track of is more "who published this artifact, who did promote it" in its metadata, but an project that uses Jenkins to handle those can also keep track of who did what.
So IMO, there is no real reasons to trust Maven Central more or less than, so there is no real reason to put more constraint on than on Maven Central artifacts.

So JUnit was a bad example, but what about the other ones? I checked Spring, and artifacts are not signed either, and yet this framework powers a huge part of most Java applications. So that's IMO a counter-example that signing is necessary for adoption.

I'm not saying that signing is bad, it's IMO the best way to have some certificate of authenticity indeed; my claim here is that the industry doesn't really need signing, it's a nice-to-have for adoption, not a must-have.
And it's good EDP considers it as such and doesn't mandate it.
_______________________________________________ mailing list
To unsubscribe from this list, visit


Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Back to the top