commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: httpclient md5 and asc files
Date Thu, 17 Jun 2004 15:44:34 GMT

See my comments in-line

>Thanks for sharing your thoughts on the matter, especially on 3.0.  However
>. . .
>Quibble 1:
>It seems odd to make would-be users choose between an "unverifiable"
>production version (2.0) and a "verifiable" alpha version (3.0).

Maybe I am missing something obvious, but I can't see why this kind of "verifiability"
matters. What comfort is it to you that HttpClient has been built, packaged
and signed by some, for instance, Russian fella who's supposedly a Jakarta
Commons committer? If you need truly verifiable build, you should probably
consider checking the source out of, building and signing
it yourself using a trusted key. I do not know it for sure but I ~ass~ume
that all Commons releases are signed using self-generated keys that have
not been signed by some sort of Root CA (Please someone correct me if I am

>Quibble 2:
>How long would it take to post an md5 hash, a signed 2.0.1--with or without
>minor bug fixes--and accompanying .asc file?

Cutting a proper release can usually take a good day of work

>Quibble 3:
>No one has to upgrade if he/she doesn't want to.

I am personally a bit hesitant to inflate release numbers for non-bugfix
related issues.

>I'll try to drop the matter for now so as not to clutter mailboxes with
>seemingly trivial request.  Plus, I'm sure you all have bigger fish to fry
>(e.g., 3.0).

All this stuff said, if this is an important matter for you due to some regulatory
reasons or company guidelines, let us know. All it takes to release 2.0.1
is a good cause, and winning a user is always a good one


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message