Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 325039

Summary: Should sign all builds and bundles
Product: [WebTools] WTP Releng Reporter: David Williams <david_williams>
Component: relengAssignee: David Williams <david_williams>
Status: RESOLVED FIXED QA Contact: David Williams <david_williams>
Severity: normal    
Priority: P3    
Version: 3.10   
Target Milestone: 3.10.0   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description David Williams CLA 2010-09-11 19:35:37 EDT 
All builds we "promote" anyway. 

One problem is that once a jar is produced, and put in a p2 repo, if the version (even qualifier) doesn't change, then the new jar won't be "pulled" from the repo if it already exists. So, if someone has been "installing" from weekly I builds, then they would not pick up signed versions once we moved to S builds. 

Another, of course, is that some would say it's better to make each build, at least each build we test and promote, as much like the final build as possible. 

Also, we should sign test bundles too, since we make those available in our repos. Even though not widely downloaded, those that do (e.g. committers) deserve the same security protection that signing affords. 

All this signing will add considerable overhead to each build, so long term, we may want another type of "continuous build" (similar to old fashioned nightly) that are not signed ... but we need to make sure those are never promoted ... and then switch to I builds only on Thursdays (Wednesday evenings). 

For now, I'm going to simply turn on signing for I-builds and tests.
Comment 1 David Williams CLA 2011-05-25 22:31:33 EDT 
doesn't seem like that much overhead ... we'll just always sign.