Return-Path: Delivered-To: apmail-ant-dev-archive@www.apache.org Received: (qmail 54426 invoked from network); 4 Sep 2009 04:26:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 Sep 2009 04:26:36 -0000 Received: (qmail 2828 invoked by uid 500); 4 Sep 2009 04:26:35 -0000 Delivered-To: apmail-ant-dev-archive@ant.apache.org Received: (qmail 2710 invoked by uid 500); 4 Sep 2009 04:26:35 -0000 Mailing-List: contact dev-help@ant.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Ant Developers List" Reply-To: "Ant Developers List" Delivered-To: mailing list dev@ant.apache.org Received: (qmail 2700 invoked by uid 99); 4 Sep 2009 04:26:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Sep 2009 04:26:35 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [88.84.128.168] (HELO samaflost.de) (88.84.128.168) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Sep 2009 04:26:26 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by samaflost.de (Postfix) with ESMTP id 40C1828985EF for ; Fri, 4 Sep 2009 06:25:35 +0200 (CEST) Received: from samaflost.de ([127.0.0.1]) by localhost (v35516.1blu.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onzfXayGEJEx for ; Fri, 4 Sep 2009 06:25:26 +0200 (CEST) Received: by samaflost.de (Postfix, from userid 1000) id 8454228985FA; Fri, 4 Sep 2009 06:25:24 +0200 (CEST) From: Stefan Bodewig To: dev@ant.apache.org Subject: Re: Publishing metalinks on the download page References: <1251817280.6797.17.camel@owl> <87tyzko1pp.fsf@v35516.1blu.de> <1251983041.4336.22.camel@owl> <87r5uot6xr.fsf@v35516.1blu.de> <1251998369.4936.128.camel@owl> X-Draft-From: ("nnfolder:mail.jakarta-ant" 95586) Date: Fri, 04 Sep 2009 06:25:23 +0200 In-Reply-To: <1251998369.4936.128.camel@owl> (Bram Neijt's message of "Thu, 03 Sep 2009 19:19:29 +0200") Message-ID: <874orjqqto.fsf@v35516.1blu.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Virus-Checked: Checked by ClamAV on apache.org On 2009-09-03, Bram Neijt wrote: > On Thu, 2009-09-03 at 16:54 +0200, Stefan Bodewig wrote: >> Do I tust the download client? ;-; > I trust my download client, just as much as I trust my md5sums > binary ;). Agreed. >> If my understanding is correct it would also allow me to create a trojan >> distribution of some software if I manage to create MD5 checksums that >> match the original distribution > You are correct, a well funded bad-guy would be able to do so creating a > hash collision on MD5 or any other kind of verification method you can > muster. A really well-funded bad-guy would be better off becoming a > dictator, and taking control of most of the countries DNS servers. Maybe. But the amount of funds required is very different. If MD5 was the only checksum I'm pretty sure my notebook would be able to create a zip or tar with matching checksums in a few hours. > That said, you could host your own metalink with only one or two > mirrors, anybody using aria2c for example, would no-longer require to > hand-check the digest after download. The way we create the download page could probably be used to create a metalink XML file as well (i.e. an XML file that contained exactly the same mirrors that are shown on the download page). I don't have a strong opinion on whether we want to do that. Others? Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org For additional commands, e-mail: dev-help@ant.apache.org