You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My project has an indirect build dependency on something that uses JDOM, and we do signature trust verification of all the artifacts used in our builds. We were hoping the committer(s) on this project might be willing to commit a KEYS file containing the PGP keys used to sign artifacts that end up in Maven Central as a means of verifying the keys are the right ones, as Central doesn't do any such checking.
It's a simple step, but has a lot of security benefit.
Thanks for your consideration.
The text was updated successfully, but these errors were encountered:
My project has an indirect build dependency on something that uses JDOM, and we do signature trust verification of all the artifacts used in our builds. We were hoping the committer(s) on this project might be willing to commit a KEYS file containing the PGP keys used to sign artifacts that end up in Maven Central as a means of verifying the keys are the right ones, as Central doesn't do any such checking.
It's a simple step, but has a lot of security benefit.
Thanks for your consideration.
The text was updated successfully, but these errors were encountered: