Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in metadata



Here is my proposal for


  1. Do not ship 3rd party artifacts that are available in maven central with our p2 repo.
  2. Have a file listing all the 3rd party libraries from Maven central. And p2 update (process) should pull 3rd party bundles from maven central.
  3. For zips(product zips) we should do a PGP sign(we do have infrastructure for this).
    1. Since the product zips do contain 3rd party bundles(these are unsigned), we can either sign them or do a pgp sign on the zip
  4. We need to do pgp sign where possible.


I hope I am not going too radical way








Back to the top