commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Murphy, Thomas H. (Newport News)" <>
Subject RE: httpclient md5 and asc files
Date Thu, 17 Jun 2004 16:34:52 GMT
Thanks again for your responses, Oleg.  They're appreciated.

I suppose "verifiability" is a pipe dream.  Even if 2.0 were signed, I don't
know you or any of the would-be signers of HttpClient or other Apache
products anyway.  Heck, how do I know mighty isn't hosted in

For some products, maybe the code base is small enough to read through to
make sure it's OK.  What about behemoths like Cocoon, with tons of 2nd and
3rd party stuff, much of which comes precompiled?  Having md5 and asc files
can't guarantee anything, but they at least offer some warm fuzzies and a
veneer of (non-binding) accountability by the Apache group.  And maybe save
someone from having to read each line of code before saying it's OK for use.

It's all a tenuous web of trust:
me->Apache->Jakarta->Commons->HttpClient->you (or someone they think is
you), where "->" == "hopefully (foolishly?) trusts".

I'd push for 2.0.1 except A) I'm not sure I'll use it anyway, and B) others
should chime in if they thought it would be valuable to them.

In any case, I appreciate your time and explanations.


-----Original Message-----
From: olegk


See my comments in-line

>Thanks for sharing your thoughts on the matter, especially on 3.0.  However
>. . .
>Quibble 1:
>It seems odd to make would-be users choose between an "unverifiable"
>production version (2.0) and a "verifiable" alpha version (3.0).

Maybe I am missing something obvious, but I can't see why this kind of
matters. What comfort is it to you that HttpClient has been built, packaged
and signed by some, for instance, Russian fella who's supposedly a Jakarta
Commons committer? If you need truly verifiable build, you should probably
consider checking the source out of, building and signing
it yourself using a trusted key. I do not know it for sure but I ~ass~ume
that all Commons releases are signed using self-generated keys that have
not been signed by some sort of Root CA (Please someone correct me if I am

>Quibble 2:
>How long would it take to post an md5 hash, a signed 2.0.1--with or without
>minor bug fixes--and accompanying .asc file?

Cutting a proper release can usually take a good day of work

>Quibble 3:
>No one has to upgrade if he/she doesn't want to.

I am personally a bit hesitant to inflate release numbers for non-bugfix
related issues.

>I'll try to drop the matter for now so as not to clutter mailboxes with
>seemingly trivial request.  Plus, I'm sure you all have bigger fish to fry
>(e.g., 3.0).

All this stuff said, if this is an important matter for you due to some
reasons or company guidelines, let us know. All it takes to release 2.0.1
is a good cause, and winning a user is always a good one


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message