Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 66910 invoked from network); 29 May 2006 15:12:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 May 2006 15:12:50 -0000 Received: (qmail 86063 invoked by uid 500); 29 May 2006 15:12:50 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 85838 invoked by uid 500); 29 May 2006 15:12:49 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 85829 invoked by uid 99); 29 May 2006 15:12:49 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 May 2006 08:12:49 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [192.18.1.36] (HELO gmpea-pix-1.sun.com) (192.18.1.36) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 May 2006 08:12:48 -0700 Received: from d1-emea-04.sun.com (d1-emea-04.sun.com [192.18.2.114] (may be forged)) by gmpea-pix-1.sun.com (8.12.9/8.12.9) with ESMTP id k4TFCQg5018902 for ; Mon, 29 May 2006 16:12:26 +0100 (BST) Received: from conversion-daemon.d1-emea-04.sun.com by d1-emea-04.sun.com (Sun Java System Messaging Server 6.2-4.02 (built Sep 9 2005)) id <0J0100E017KRVI00@d1-emea-04.sun.com> (original mail from Bernt.Johnsen@Sun.COM) for derby-dev@db.apache.org; Mon, 29 May 2006 16:12:26 +0100 (BST) Received: from localhost (180.80-203-115.nextgentel.com [80.203.115.180]) by d1-emea-04.sun.com (Sun Java System Messaging Server 6.2-4.02 (built Sep 9 2005)) with ESMTPSA id <0J0100C318WOKL70@d1-emea-04.sun.com> for derby-dev@db.apache.org; Mon, 29 May 2006 16:12:26 +0100 (BST) Date: Mon, 29 May 2006 17:12:06 +0200 From: "Bernt M. Johnsen" Subject: Re: upcoming 10.2 snapshot In-reply-to: <54ac72d70605231419u34aff85crb253e512d5cc1ee6@mail.gmail.com> Sender: Bernt.Johnsen@Sun.COM To: derby-dev@db.apache.org Message-id: <20060529151206.GD12328@localhost.localdomain> Organization: Sun Microsystems MIME-version: 1.0 Content-type: multipart/signed; boundary=lMM8JwqTlfDpEaS6; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-disposition: inline References: <44733CF7.9050300@sun.com> <4473647B.8010608@apache.org> <20060523210643.GB20154@localhost.localdomain> <54ac72d70605231419u34aff85crb253e512d5cc1ee6@mail.gmail.com> User-Agent: Mutt/1.5.9i X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable >>>>>>>>>>>> Andrew McIntyre wrote (2006-05-23 14:19:50): > On 5/23/06, Bernt M. Johnsen wrote: > >Simple (?) question. Why do we not sign snapshots that are made > >available on Derby's download page? The need for people to be sure > >that they download SW that is put there by a trusted person should be > >the same as for ordinary releases. >=20 > Because the snapshots are not served from the mirror, but from a > trusted host at Apache, and could only be put there by a committer. Given that the "trusted host at Apache" is impenetrable for an unauthorized person .... so I think it would be wise to sign the snapshots too, otherwise we might have to remove them in case of an security incident at the server. > Normally, serving downloads from an Apache host is frowned upon to > save bandwidth and machine resources, but in this case should not be a > problem, as we would expect the snapshots to see far, far less traffic > than an official release. >=20 > And in fact, the snapshots don't register on the top hits for > *.apache.org, whereas people disregarding the mirrors and downloading > the official release from http://www.apache.org/dist/ does show up on > the list: >=20 > http://people.apache.org/~henkp/analog/www/2006/04/ >=20 > andrew --=20 Bernt Marius Johnsen, Database Technology Group,=20 Staff Engineer, Technical Lead Derby/Java DB Sun Microsystems, Trondheim, Norway --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEew9GlFBD9TXBAPARAug9AJ92e8TjuQ3fJWHQF3Tb132p1Lxh8ACgmx90 fWVl7QrKPP6KBp9SC/f1nAg= =FBV2 -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6--