db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernt M. Johnsen" <Bernt.John...@Sun.COM>
Subject Re: upcoming 10.2 snapshot
Date Mon, 29 May 2006 15:12:06 GMT
>>>>>>>>>>>> Andrew McIntyre wrote (2006-05-23 14:19:50):
> On 5/23/06, Bernt M. Johnsen <Bernt.Johnsen@sun.com> wrote:
> >Simple (?) question. Why do we not sign snapshots that are made
> >available on Derby's download page? The need for people to be sure
> >that they download SW that is put there by a trusted person should be
> >the same as for ordinary releases.
> 
> Because the snapshots are not served from the mirror, but from a
> trusted host at Apache, and could only be put there by a committer.

Given that the "trusted host at Apache" is impenetrable for an
unauthorized person .... so I think it would be wise to sign the
snapshots too, otherwise we might have to remove them in case of an
security incident at the server.

> Normally, serving downloads from an Apache host is frowned upon to
> save bandwidth and machine resources, but in this case should not be a
> problem, as we would expect the snapshots to see far, far less traffic
> than an official release.
> 
> And in fact, the snapshots don't register on the top hits for
> *.apache.org, whereas people disregarding the mirrors and downloading
> the official release from http://www.apache.org/dist/ does show up on
> the list:
> 
> http://people.apache.org/~henkp/analog/www/2006/04/
> 
> andrew

-- 
Bernt Marius Johnsen, Database Technology Group, 
Staff Engineer, Technical Lead Derby/Java DB
Sun Microsystems, Trondheim, Norway

Mime
View raw message