[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[platform-dev] Unsigned Content?
|
Has the platform decided to bypass Orbit to produce IUs directly from
some other sources? I'm not sure how the multiple versions of such IUs
on the release train will be (or even can be) coordinated across
projects if the general new approach is that each project produces such
things purely for its own purpose from whatever sources it deems fit.
Also, the artifacts are not signed, which is the reason that I noticed:
https://download.eclipse.org/oomph/archive/reports/download.eclipse.org/eclipse/updates/4.23-I-builds/index.html
Note that once an unsigned version of some specific artifact ID is out
there is the wild (in someone's bundle pool), it's extremely hard to
stamp it out unless a new version with a new artifact ID is created to
supersede it.
Perhaps the platform has decided that PGP signatures are now deemed to
be fully secure and fully feature complete such that signatures are
obsolete? This is not the expectation I have based Planning Council
discussions.