<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<base href="x-msg://3/">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Great! Glad the reply helped you and it works for you (hopefully
Ceki will do same :-). (note it is a Sonatype article, not mine!)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Regarding the plugin property names, yes it is a little
misleading with the short name given in the table (it’s actually the
property name in the Java file). The “Parameter Details”
section lists the full property name expression to use; hopefully you
discovered that quickly!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks for the gpg2 info. I added a little doc note from
your statements:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://svn.apache.org/viewvc/maven/plugins/trunk/maven-gpg-plugin/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java?view=diff&r1=942420&r2=908968&diff_format=u">http://svn.apache.org/viewvc/maven/plugins/trunk/maven-gpg-plugin/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java?view=diff&r1=942420&r2=908968&diff_format=u</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Also, you shouldn’t need the gpg plugin defined in <dependencyManagement>
as child modules can call profiles of parent. I have only defined the gpg
plugin in the profile section.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Side note - I hadn’t looked at Lilith for awhile as it
didn’t support direct log file use. Very happy to see “…to
support writing of Lilith logfiles using Logback FileAppender”
added! I will change the appender, try it, and hopefully roll out Lilith
for the team. (hmm, sidetracked looking for docs…)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Joern Huxhorn
[mailto:jhuxhorn@googlemail.com] <br>
<b>Sent:</b> Saturday, May 08, 2010 10:15 AM<br>
<b>To:</b> User list for the slf4j project<br>
<b>Cc:</b> Jeff Jensen<br>
<b>Subject:</b> Re: [slf4j-user] Signatures for verifying Slf4j<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>Hi Jeff,<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>thank you very much for this information and your article! I
wasn't aware of this plugin.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I just changed my build process for Lilith accordingly.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>See <a
href="http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f">http://github.com/huxi/lilith/commit/c2689ee57b263c6a2cb6241547a991703354bc6f</a><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I had to jump through some loops, though, since I have gpg2
instead of gpg:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The following two properties had to be added to my pom:<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal><gpg.useagent>true</gpg.useagent><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><gpg.keyname>740A1840</gpg.keyname><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The first one makes sure that gpg isn't complaining about an
invalid option (--no-use-agent was removed in gpg2) and doesn't ask for a
passphrase anymore.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>This was quite tricky since the documentation of
maven-gpg-plugin says that it's called useAgent, which it isn't!<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The second one selects the correct key used for the
signature - which is a good idea if you have more than one.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I wanted to comment on your article but, unfortunately,
comments are disabled.<o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Cheers,<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Joern.<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On 08.05.2010, at 03:23, Jeff Jensen wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It is best if the artifacts are signed. Sometime in the
near future, Central/Nexus will not accept artifacts without being signed.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This would prove the source for you more than the hashes.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ceki: you should start signing the release artifacts. It
is very easy - I’ve done it already on a few products and Sonatype has a
very good page describing how. Maven will do it automatically for you:</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven">http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
</div>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial;z-index:auto'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
class=apple-converted-space><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><a
href="mailto:slf4j-user-bounces@qos.ch">slf4j-user-bounces@qos.ch</a><span
class=apple-converted-space> </span>[mailto:slf4j-user-bounces@qos.ch]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>Joern Huxhorn<br>
<b>Sent:</b><span class=apple-converted-space> </span>Friday, May 07, 2010
3:50 AM<br>
<b>To:</b><span class=apple-converted-space> </span>User list for the
slf4j project<br>
<b>Subject:</b><span class=apple-converted-space> </span>Re: [slf4j-user]
Signatures for verifying Slf4j</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>One solution could be the use of signed tags for SLF4J and
Logback.<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>That way it would be possible to pull the git repository,
check the signature of the tag and build SLF4J and Logback yourself afterwards.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>I think the MD5 and SHA1 of Maven repository are merely a
way to prevent corrupted files, not an actual security feature.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>Cheers,<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal>Joern.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal>On 07.05.2010, at 09:26, Elisha Ebenezer wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal><br>
<br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Hi Ceki,<br>
I'm trying to push to use Slf4j and logback in our project and my company
wants me to get the MD5 or SHA1 hashes or the code-signing certs to verify the
integrity of downloaded files.<br>
<br>
Though<span class=apple-converted-space> </span><a
href="http://repo1.maven.org/">repo1.maven.org</a><span
class=apple-converted-space> </span>site provides the hashes, we are not
sure whether the war and the hash are uploaded by genuine party or not.<br>
<br>
As you are the owner of the project, I request you to kindly publish the hashes
or certs on website's download page.. which can be cross-checked with the
downloaded war and/or also with the maven repository.<br>
<br>
Kindly do the needful and oblige.<br>
<br>
Thanks,<br>
Elisha Ebenezer. _______________________________________________<br>
slf4j-user mailing list<br>
<a href="mailto:slf4j-user@qos.ch">slf4j-user@qos.ch</a><br>
<a href="http://qos.ch/mailman/listinfo/slf4j-user">http://qos.ch/mailman/listinfo/slf4j-user</a><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal>_______________________________________________<br>
slf4j-user mailing list<br>
<a href="mailto:slf4j-user@qos.ch">slf4j-user@qos.ch</a><br>
<a href="http://qos.ch/mailman/listinfo/slf4j-user">http://qos.ch/mailman/listinfo/slf4j-user</a><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>