Lars,
I think the AC is the better body to discuss this. I've added it to the agenda for our call today.
FWIW, I believe as long as there are projects consuming Orbit it will exists. However, one of the goals for EBR was always to be able to consume Maven artifacts within the same reactor build. Thus, these are great new features in Tycho.
It lacks a few features with regards to generating high quality manifests. Maybe EBR recipes can be fetched dynamically as templates and taken into account when generating the bundles?
From a legal perspective ... the about/ip information needs to be added. But I'm not sure this is still a strong requirements. We don't do this for dependencies in other ecosystems (eg., _javascript_ NPM). Thus, we might be able to lift that.
With regards to signing this is a grey area. My current thinking is that once artifacts are no longer consumed from
Eclipse.org they must not be signed with an
Eclipse.org certificate. But I don't see any issue with distributing unsigned 3rd party content in the same way Maven Central distributes jars (hash validation and TLS transfer).
-Gunnar