From: Jody G. <jod...@gm...> - 2010-07-30 05:35:34
|
> Jody, what I mean was not how to create and use GPG keys, but how we manage > keys. For example, do we rely on a web of trust with each developer having > their own signing key or do we have an official GeoTools key, such as that > used by Linux distributions (Fedora ...)? I guess the individual > web-of-trust is the only practical solution for a decentralised community. I think individual developers can sign up for their own key; we have something similar when announcing on freshmeat for example; or uploading to the osgeo server. > Also, should the scm entries point to the GeoTools poms used to build the > packages, or should they in the case of packaging third-party schemas point > to the originating third-party scm? I think the geotools location. For third party schemas (ie ogc) we are still publishing up our take on it (since we often make changes so that it validates). > Thirdly, if I am packaging third-party schemas, do you think it is > appropriate that I use the third-party groupId or org.geotools? If we are > going to maven central I want to very careful to get it just right. I am going to go with org.geotools (since we are the party publishing in this form, and sometimes we hack it up right?). What does it have now? > Kind regards, Thanks for the discussion, Jody |