wsargent
commented
9 years ago +1
Closed phxql closed 8 years ago
wsargent
commented
9 years ago +1
wsargent
commented
9 years ago It would be nice to have something GPG signed and with sha2sum files along side it as well...
phxql
commented
9 years ago Unfortunately I don't have the GPG key of the Keyczar team :)
devinlundberg
commented
9 years ago @divegeek Does google have a GPG key to sign binaries?
wsargent
commented
9 years ago Also, how do I know the binaries don't contain a special backdoor? (from a paranoid security standpoint)
phxql
commented
9 years ago Good point. You don't.
I just thought it would be nice to have the newest version in the maven repository.
divegeek
commented
9 years ago On Wed, Oct 7, 2015 at 10:22 AM Devin Lundberg notifications@github.com wrote:
@divegeek https://github.com/divegeek Does google have a GPG key to sign binaries?
Not that I know of. We could set something like that up, though of course security-wise it would only be as good as your trust in whoever held the key (probably me).
oscaritoro
commented
9 years ago Is version 0.66 really the latest one current available for maven?
cosmin
commented
8 years ago I'd like to see Keyczar synced to Maven Central rather than having to pull from a repository in Google code.
divegeek
commented
8 years ago cosmin, what would be involved in syncing with Maven. I'm not familiar with how it works.
cosmin
commented
8 years ago Sonatype has a guide for how to sync with central. Basically there are a few requirements. The Pom file needs to contain repository URL and the license info. Sources and java doc needs to be added too if they are not so it can all be published together. Lastly, releases need to be GPG signed (and there is a maven plugin for that too).
http://central.sonatype.org/pages/ossrh-guide.html
Here is a pull request I created for docopt for maven central sync that illustrates all of these points (although it was never merged and the only version in central is mine).
https://github.com/docopt/docopt.java/pull/6/files
I would be happy to contribute a pull request if there is interest.
divegeek
commented
8 years ago Yes, a pull request would be very welcome.
On Sat, Apr 30, 2016 at 8:02 PM Cosmin Stejerean notifications@github.com wrote:
Sonatype has a guide for how to sync with central. Basically there are a few requirements. The Pom file needs to contain repository URL and the license info. Sources and java doc needs to be added too if they are not so it can all be published together. Lastly, releases need to be GPG signed (and there is a maven plugin for that too).
http://central.sonatype.org/pages/ossrh-guide.html
Here is a pull request I created for docopt for maven central sync that illustrates all of these points (although it was never merged and the only version in central is mine).
https://github.com/docopt/docopt.java/pull/6/files
I would be happy to contribute a pull request if there is interest.
— You are receiving this because you modified the open/close state. Reply to this email directly or view it on GitHub https://github.com/google/keyczar/pull/175#issuecomment-216008030
Shawn Willden | Software Engineer | swillden@google.com | 303-709-2258
Hi,
this commit adds a compiled Keyczar 0.71f to the maven repository found in java/maven.