ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen, Ethan (MED, Carlson)" <Ethan.Al...@med.ge.com>
Subject RE: WHY ?
Date Mon, 14 Apr 2003 15:40:47 GMT
You are right - that was certainly the thing that confused me !

How about combining various explanations:

Providing mirror site downloads means that <org name here> loses a
significant amount of control over the downloaded files !  We
<b>strongly</b> recommend you use digital signatures to verify the
integrity of what you are downloading, to avoid the risk of downloading
a trojan horse (or simply broken files).  We have provided signatures in
our main distribution directory.  You MUST use the signatures provided
there if you want to verify.

hope this helps -

eja

-----Original Message-----
From: Stefan Bodewig [mailto:bodewig@apache.org]
Sent: Monday, April 14, 2003 1:32 AM
To: user@ant.apache.org
Subject: Re: WHY ?


On Fri, 11 Apr 2003, Ethan Allen <Ethan.Allen@med.ge.com> wrote:

> I'm talking about the statement on the site that "You MUST verify
> the integrity of the downloaded files using signatures downloaded
> from our main distribution directory".

Hmm, maybe you can help us with rephrasing this, then.

The MUST doesn't mean you must verify the integrity - we certainly
encourage you to do so.  The MUST is meant to apply to the second part
"using signatures downloaded from our main distribution directory".

As Ant can be downloaded from a mirror (and in fact, we hope many
people do so), we lose quite a bit of control over it.  The MUST
means, doen't use the signature you'll find on the mirror as well, but
the sugnature from our main site, as this is the site we trust most.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org

Mime
View raw message