Morale: this is not terribly complicated, and it would make ABCL available through another distribution channel. OTOH, I can't hide the fact that - besides my own personal convenience for my shared project
- probably no-one is using ABCL in Maven projects right now, and
having ABCL released through Maven would complicate its release process, not much for technical reasons but for organizational ones (e.g. who keeps ABCL's GPG key? How is it managed?).
Currently Erik maintains the GPG key we currently use for signing. Does anyone have a model by which we could somehow share it? It might be nice to start "rotating" the responsibility for the releases among the four core committers to help take some work off of Erik's plate.
Yes. The key I use for signing as really my own though: I use it to sign all packages I put up for distribution: usocket (when I last did), cl-irc, ABCL, Subversion, py-configparser and maybe others.
Within the Subversion project we had a discussion about having a project key or not. We considered that a project key would have to be passed from one to another person, increasing chances of the key getting compromised. Also, the process with a single key means single point of failure.
What we considered back then - and are still doing today - is that as many committers as possible sign the release. Each committer signs the variants of the release he/she verified and tested to work well. (There is a tgz and a zip release, exactly like ours, one meant for *nix, the other for Windows).
Having many committers sign each release reduces the dependency on every single one of them, but also allows others to join in and maybe have some of the older contributors flow out. Due to the fact that the core stays the same from one release to another, the signatures are still very well recognizable as "the official Subversion release with its regular signatures".
I'm interested in your opinions (and how this might work with Maven). Do you think this approach would help to lift work off my shoulders? Do you think it's a good idea to make the signatures "mean" anything? Do you think our group of contributors is large enough to start collecting multiple signatures at all?
By the way, I think it's really great that we're actually having this discussion. To me it says something about the maturity of the ABCL project and the attitude of the committers in its community: we're a group dedicated to setting steps in the direction of delivering mature software with solid processes to ensure that our users are getting the quality they deserve.
Bye,
Erik.'