Ok sent you an invite.
Werner Keil | JCP Executive Committee Member, JSR 363 Co Spec Lead |
Eclipse UOMo Lead, Babel Language Champion | Apache Committer
Twitter @wernerkeil | @UnitAPI | @JSR354 | @AgoravaProj | @DeviceMap
| #DevOps | #EclipseUOMo
Skype werner.keil | Google+ gplus.to/wernerkeil
On Thu, May 19, 2016 at 7:08 PM, Ivar Grimstad <ivar.grimstad_at_gmail.com>
wrote:
> Hi Werner,
>
> My bintray account is ivargrimstad or ivar.grimstad_at_gmail.com
>
> Ivar
>
> On Thu, May 19, 2016 at 4:32 PM Werner Keil <werner.keil_at_gmail.com> wrote:
>
>> I don't believe so. Anatole self-signed the javax.money artifacts and so
>> did I (with a dedicated "uom" account but by myself) for javax.measure, so
>> nothing has to be signed by Oracle even if it may be the Spec Lead.
>> What Sonatype mandates is that every artifact (JAR, POM) has a .asc file,
>> the others automatically generated by Maven if enabled also can't hurt.
>> And with the account you intend to use, you need to ask for approval in
>> its JIRA system to deploy into a particular groupID, but if you are EG
>> member that should work. I never heard Sonatype to ask e.g. to enter the
>> signing key into a "chain of trust" like you see at Apache.
>>
>> Kind Regards,
>> Werner
>>
>>
>> On Thu, May 19, 2016 at 4:27 PM, arjan tijms <arjan.tijms_at_gmail.com>
>> wrote:
>>
>>> If we can just add the javax.security and org.glassfish.soteria group ID
>>> to bintray/jfrog, then sure.
>>>
>>> Signing itself is not such an issue, but will just any signature be
>>> accepted for the sync to Maven central, or does it really check it's a
>>> registered signature from Oracle?
>>>
>>> I think MVC/Ozark just started using TravisCI, so for consistency we
>>> might want to stick with that then.
>>>
>>> Kind regards,
>>> Arjan Tijms
>>>
>>>
>>>
>>>
>>>
>>> On Thu, May 19, 2016 at 4:22 PM, Werner Keil <werner.keil_at_gmail.com>
>>> wrote:
>>>
>>>> Having these kinds of repos we could also automatically push the
>>>> snapshots to JFrog from a CI server.
>>>> Either TravisCI or CircleCI (just got ~18 Mio. $ VC funding, so they
>>>> hopefully won't go away that soon;-) look good for that.
>>>>
>>>> Werner
>>>>
>>>>
>>>> On Thu, May 19, 2016 at 4:20 PM, Werner Keil <werner.keil_at_gmail.com>
>>>> wrote:
>>>>
>>>>> Anybody is welcome in the Bintray community. Being there allows you to
>>>>> publish to bintray.com and JCenter. Maybe fewer (because you need to
>>>>> sign the artifacts etc.) could then also sync important builds to
>>>>> MavenCentral, but it may even be a first important step to have SNAPSHOTs
>>>>> on https://oss.jfrog.org/artifactory/oss-snapshot-local/javax/
>>>>> ("security" not there yet)
>>>>>
>>>>> Werner
>>>>>
>>>>>
>>>>> On Thu, May 19, 2016 at 4:16 PM, arjan tijms <arjan.tijms_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>> On Thu, May 19, 2016 at 4:14 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Btw, I noticed when referring to the JSR 375 Twitter accont, it's
>>>>>>> not overly busy nor does it have many followers. Who maintains it or
>>>>>>> created it?
>>>>>>>
>>>>>>
>>>>>> It's not me, wasn't it Rudy?
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 19, 2016 at 4:11 PM, Werner Keil <werner.keil_at_gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> You may need to proof and point to being an EG member, either to
>>>>>>>> jcp.org (the "source of truth" on that) or if they want the GitHub
>>>>>>>> organization. That should be enough. Even in JSRs with a "less busy" Spec
>>>>>>>> Lead than most of the EE ones right now, it is perfectly fine to have other
>>>>>>>> committers and EG members help with that.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Werner
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, May 19, 2016 at 4:08 PM, arjan tijms <arjan.tijms_at_gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> On Thu, May 19, 2016 at 3:53 PM, Werner Keil <
>>>>>>>>> werner.keil_at_gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Bintray not only hosts a large Maven repo (Jcenter) it can (there
>>>>>>>>>> you need another account, but should not need to be Spec Lead only, members
>>>>>>>>>> of the EG usually qualify) sync with MavenCentral.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I wonder, does it accept artifacts for the javax.* group IDs?
>>>>>>>>> Would you not somehow need to prove you are indeed associated with javax.*
>>>>>>>>> and have the authorization to publish?
>>>>>>>>>
>>>>>>>>> Without that I guess everyone would be able to claim say
>>>>>>>>> javax.foo, and sync that to Maven central, blocking or severely confusing
>>>>>>>>> the integrity of that (parent) group ID?
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Arjan Tijms
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Doing that with JSR 363 on a regular basis and other JSRs like
>>>>>>>>>> 354 though it's mostly done by Anatole (because he set up automatic signing
>>>>>>>>>> for MavenCentral)
>>>>>>>>>>
>>>>>>>>>> BinTray/JCenter require all projects to have source-jars, if
>>>>>>>>>> synchronized with MavenCentral one should also sign the JARs and everything
>>>>>>>>>> else as .asc.
>>>>>>>>>>
>>>>>>>>>> Beside that Bintray also hosts all sorts of other artifacts,
>>>>>>>>>> Vagrant or Docker containers just to name a few, might come handy to some
>>>>>>>>>> JSRs e.g. for ready to use demos or distributions of Soteria on preferred
>>>>>>>>>> app servers;-D
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>>
>>>>>>>>>> Werner
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, May 19, 2016 at 2:45 PM, arjan tijms <
>>>>>>>>>> arjan.tijms_at_gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> Soteria and JSR 375 has been in development for quite some time
>>>>>>>>>>> at 1.0-m01-SNAPSHOT.
>>>>>>>>>>>
>>>>>>>>>>> Although we didn't set specific goals for each milestone, it may
>>>>>>>>>>> be a good idea to release what we have now as 1.0-m01 and set the next
>>>>>>>>>>> version to 1.0-m02-SNAPSHOT.
>>>>>>>>>>>
>>>>>>>>>>> While updating the pom files is mostly trivial, it would make
>>>>>>>>>>> sense to actually have version 1.0-m01 available in Maven central. This
>>>>>>>>>>> will make it much easier for people to experiment with this milestone and
>>>>>>>>>>> provide us with feedback.
>>>>>>>>>>>
>>>>>>>>>>> For this deployment we need someone from Oracle, as they own the
>>>>>>>>>>> group IDs that we use.
>>>>>>>>>>>
>>>>>>>>>>> So:
>>>>>>>>>>>
>>>>>>>>>>> 1. What does everyone think about releasing a 1.0-m01?
>>>>>>>>>>> 2. Alex, or Will, can either of you do the deployment to Maven
>>>>>>>>>>> central?
>>>>>>>>>>>
>>>>>>>>>>> Kind regards,
>>>>>>>>>>> Arjan Tijms
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>