|Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in metadata|
The EDP, not just SimRel, mandates this:
Signing is a certification of origin that follows the artifact around no matter where it goes...
I think before we talk about a technical solution we should validate the assumption that consumers don't actually care about signing and that the Foundation is okay with changing the rules about it. I say that because a p2 solution that is just an install-time solution, like a fancy checksum, rather than a run time solution, has implications for consumers.
I think verifying the premise that it will be okay not to ship signed jars should be verified first.
Back to the top