The previous one was a bit strict on the whitespace
my god what is happening?
Jim
If you don't have a key yet, generate one with `gpg --gen-key`. The
default settings are pretty good, though I'd recommend making it expire
in a year or two. Next find your key ID. It's the 8-character part after
the slash on the line beginning with "pub":
Then you can show it with `gpg --export -a $KEY_ID`.
The Releases repository is the final missing piece of the puzzle for a
final release of Leiningen 2. But the time isn't yet right because
version 2 will only check Central and the Clojars Releases repo by
default. So since the new Releases repo only has a handful of jars, it
would be a jarring transition to switch at this point. That's why we're
hoping library maintainers can do what's necessary to ensure their
libraries make it into the new repository.
Perhaps it would be helpful if you could explain in more detail what it
is about the provided explanation that you found confusing?
If you turn off :sign-releases inside your :repositories entry when
deploying libraries everything will work for you as before. But your
libraries won't qualify for the Releases repo in this case. So once your
users upgrade to Leiningen 2.0.0 they will have to include a separate
:repositories entry for the classic repo to indicate that they are OK
with pulling in dependencies that don't meet the higher standards of the
new repo.
Indeed, the root problem is this notion that you can be a professionalsoftware developer and remain ignorant of how public-key crypto works.
So collecting improved documentation and educational resources is going
to need to be a priority. I'll do what I can to put together good general
resources but will need help covering systems like Windows and OS X that
make things more difficult.
Yeah, we intended to use that originally, but Bouncy Castle's PGPsupport is awful beyond words. It's effectively undocumented, and the
classes it exposes really only make sense if you have the OpenPGP RFC
memorized.
Someone who writes software for a livingwithout understanding how to securely share secrets over email *and is
perfectly happy with that fact* is doing something wrong.
That's actually illegal to do with OS X.
Windows isn't that we don't know what's broken; it's that nobody withthe skills to fix it has volunteered to help.
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--
If you turn off :sign-releases inside your :repositories entry when
deploying libraries everything will work for you as before. But your
libraries won't qualify for the Releases repo in this case. So once your
users upgrade to Leiningen 2.0.0 they will have to include a separate
:repositories entry for the classic repo to indicate that they are OK
with pulling in dependencies that don't meet the higher standards of the
new repo.
--
Sorry for the inconvenience.
On Sun, Nov 18, 2012 at 5:56 AM, Phil Hagelberg <ph...@hagelb.org> wrote:If you don't have a key yet, generate one with `gpg --gen-key`. The
default settings are pretty good, though I'd recommend making it expire
in a year or two. Next find your key ID. It's the 8-character part after
the slash on the line beginning with "pub":As I said at the conj, I'm looking forward to the documentation explaining how to install and use gpg since it's not provided by default on either Mac OS X or Windows.Then you can show it with `gpg --export -a $KEY_ID`.$KEY_ID? (again, as I noted at the conj, without good documentation on the Leiningen site for this, folks won't necessarily know what this is or why they need to do all of this, especially the web of trust stuff you discussed and key exchanges / publishing etc).