Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in meta

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in metadata

From: "Sravan K Lakkimsetti" <sravankumarl@xxxxxxxxxx>
Date: Mon, 25 Jan 2021 14:59:11 +0000
Delivered-to: p2-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/p2-dev/>
List-help: <mailto:p2-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/p2-dev>, <mailto:p2-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/p2-dev>, <mailto:p2-dev-request@eclipse.org?subject=unsubscribe>

Hi,

Here is my proposal for https://www.eclipse.org/lists/p2-dev/msg05910.html

Do not ship 3^rd party artifacts that are available in maven central with our p2 repo.
Have a file listing all the 3^rd party libraries from Maven central. And p2 update (process) should pull 3^rd party bundles from maven central.
For zips(product zips) we should do a PGP sign(we do have infrastructure for this).

Since the product zips do contain 3^rd party bundles(these are unsigned), we can either sign them or do a pgp sign on the zip

We need to do pgp sign where possible.

I hope I am not going too radical way

Thanks

Sravan

Prev by Date: Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in metadata
Next by Date: Re: [p2-dev] [cbi-dev] Eclipse Foundation public PGP key?
Previous by thread: Re: [p2-dev] Making p2 deal with (PGP?) signatures for artifacts in metadata
Next by thread: Re: [p2-dev] [cbi-dev] Eclipse Foundation public PGP key?
Index(es):
- Date
- Thread

Back to the top