ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43162] - Verification for Microsoft Windows incompletely described
Date Mon, 03 Sep 2007 10:08:14 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43162>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43162





------- Additional Comments From stevel@apache.org  2007-09-03 03:08 -------
-as the others said, we have nothing against winxp users, though win9x was such
a source of support calls that it is no longer supported. My laptop runs windowsXP.

1. What you dont get with windows is the toolchain for md5 and sha1 sum checking
out the box. On linux you can do sha1sum and md5sum to check the hash value of
any binary against a version picked up from a trusted location (such as apache
https server), or get ant from a trusted distribution.

2. Windows is very good at verifying microsoft code (and updating it on demand),
but mediocre for validating binaries of others, or for keeping them up to date.
Hence every windows app you install adds a little auto updater applet to slow
down your machine, merely to keep adobe, sun, real, apple, etc apps up to date.

3. A .cab file would require the tooling to create and sign the cab on all
platforms we build ant on, as we cannot require the release manager to run
windows. It would also need a key that is trusted by the user, meaning Apache
would need to become its own CA and get microsoft to (a) trust it and (b) add it
to the list of trusted sources. Or each project pays $500/year to get a verisign
code signing license. It would also require us to test a new distribution
format, which can only be done on windows systems, which complicates the release
process more. 

The effect of producing cab files would require the annual outlay of code
signing certificates, and the release manager to have a Windows VMware image to
validate the file, if not generate it. Much easier to improve the documentation
on how to validate the file.

Note that Gnupg, http://www.gnupg.org/download/ can verify signatures; it has a
command line, doesnt need registration, etc. We should cover this in the
documentation.

-Steve



So no, no new cab file. 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message