I don't believe so. Anatole self-signed the javax.money artifacts and so
did I (with a dedicated "uom" account but by myself) for javax.measure, so
nothing has to be signed by Oracle even if it may be the Spec Lead.
What Sonatype mandates is that every artifact (JAR, POM) has a .asc file,
the others automatically generated by Maven if enabled also can't hurt.
And with the account you intend to use, you need to ask for approval in its
JIRA system to deploy into a particular groupID, but if you are EG member
that should work. I never heard Sonatype to ask e.g. to enter the signing
key into a "chain of trust" like you see at Apache.
Kind Regards,
Werner
On Thu, May 19, 2016 at 4:27 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> If we can just add the javax.security and org.glassfish.soteria group ID
> to bintray/jfrog, then sure.
>
> Signing itself is not such an issue, but will just any signature be
> accepted for the sync to Maven central, or does it really check it's a
> registered signature from Oracle?
>
> I think MVC/Ozark just started using TravisCI, so for consistency we might
> want to stick with that then.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> On Thu, May 19, 2016 at 4:22 PM, Werner Keil <werner.keil_at_gmail.com>
> wrote:
>
>> Having these kinds of repos we could also automatically push the
>> snapshots to JFrog from a CI server.
>> Either TravisCI or CircleCI (just got ~18 Mio. $ VC funding, so they
>> hopefully won't go away that soon;-) look good for that.
>>
>> Werner
>>
>>
>> On Thu, May 19, 2016 at 4:20 PM, Werner Keil <werner.keil_at_gmail.com>
>> wrote:
>>
>>> Anybody is welcome in the Bintray community. Being there allows you to
>>> publish to bintray.com and JCenter. Maybe fewer (because you need to
>>> sign the artifacts etc.) could then also sync important builds to
>>> MavenCentral, but it may even be a first important step to have SNAPSHOTs
>>> on https://oss.jfrog.org/artifactory/oss-snapshot-local/javax/
>>> ("security" not there yet)
>>>
>>> Werner
>>>
>>>
>>> On Thu, May 19, 2016 at 4:16 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>> wrote:
>>>
>>>> On Thu, May 19, 2016 at 4:14 PM, Werner Keil <werner.keil_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Btw, I noticed when referring to the JSR 375 Twitter accont, it's not
>>>>> overly busy nor does it have many followers. Who maintains it or created it?
>>>>>
>>>>
>>>> It's not me, wasn't it Rudy?
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> On Thu, May 19, 2016 at 4:11 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> You may need to proof and point to being an EG member, either to
>>>>>> jcp.org (the "source of truth" on that) or if they want the GitHub
>>>>>> organization. That should be enough. Even in JSRs with a "less busy" Spec
>>>>>> Lead than most of the EE ones right now, it is perfectly fine to have other
>>>>>> committers and EG members help with that.
>>>>>>
>>>>>> Regards,
>>>>>> Werner
>>>>>>
>>>>>>
>>>>>> On Thu, May 19, 2016 at 4:08 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> On Thu, May 19, 2016 at 3:53 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Bintray not only hosts a large Maven repo (Jcenter) it can (there
>>>>>>>> you need another account, but should not need to be Spec Lead only, members
>>>>>>>> of the EG usually qualify) sync with MavenCentral.
>>>>>>>>
>>>>>>>
>>>>>>> I wonder, does it accept artifacts for the javax.* group IDs? Would
>>>>>>> you not somehow need to prove you are indeed associated with javax.* and
>>>>>>> have the authorization to publish?
>>>>>>>
>>>>>>> Without that I guess everyone would be able to claim say javax.foo,
>>>>>>> and sync that to Maven central, blocking or severely confusing the
>>>>>>> integrity of that (parent) group ID?
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Arjan Tijms
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Doing that with JSR 363 on a regular basis and other JSRs like 354
>>>>>>>> though it's mostly done by Anatole (because he set up automatic signing for
>>>>>>>> MavenCentral)
>>>>>>>>
>>>>>>>> BinTray/JCenter require all projects to have source-jars, if
>>>>>>>> synchronized with MavenCentral one should also sign the JARs and everything
>>>>>>>> else as .asc.
>>>>>>>>
>>>>>>>> Beside that Bintray also hosts all sorts of other artifacts,
>>>>>>>> Vagrant or Docker containers just to name a few, might come handy to some
>>>>>>>> JSRs e.g. for ready to use demos or distributions of Soteria on preferred
>>>>>>>> app servers;-D
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Werner
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, May 19, 2016 at 2:45 PM, arjan tijms <arjan.tijms_at_gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Soteria and JSR 375 has been in development for quite some time at
>>>>>>>>> 1.0-m01-SNAPSHOT.
>>>>>>>>>
>>>>>>>>> Although we didn't set specific goals for each milestone, it may
>>>>>>>>> be a good idea to release what we have now as 1.0-m01 and set the next
>>>>>>>>> version to 1.0-m02-SNAPSHOT.
>>>>>>>>>
>>>>>>>>> While updating the pom files is mostly trivial, it would make
>>>>>>>>> sense to actually have version 1.0-m01 available in Maven central. This
>>>>>>>>> will make it much easier for people to experiment with this milestone and
>>>>>>>>> provide us with feedback.
>>>>>>>>>
>>>>>>>>> For this deployment we need someone from Oracle, as they own the
>>>>>>>>> group IDs that we use.
>>>>>>>>>
>>>>>>>>> So:
>>>>>>>>>
>>>>>>>>> 1. What does everyone think about releasing a 1.0-m01?
>>>>>>>>> 2. Alex, or Will, can either of you do the deployment to Maven
>>>>>>>>> central?
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arjan Tijms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>