db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: release endgame
Date Fri, 06 Oct 2006 20:48:49 GMT
Andrew McIntyre wrote:

> On 10/4/06, Rick Hillegas <Richard.Hillegas@sun.com> wrote:
>> 2) Step (9) at http://www.apache.org/dev/mirror-step-by-step.html warns
>> against using symbolic links in mirrored directories. But step (17) at
>> http://wiki.apache.org/db-derby/DerbySnapshotOrRelease seems to indicate
>> that we do use symbolic links on our mirrored directory. Furthermore,
>> symbolic links are required by the instructions at
>> http://people.apache.org/~bodewig/mirror.html. I'm confused.
>> 3) More about symbolic links. The instructions make a distinction
>> between the distribution zips and their signatures. I'm told to link the
>> zips but not the signatures (see
>> http://www.apache.org/dev/release-download-pages.html). However, step
>> (17) at http://wiki.apache.org/db-derby/DerbySnapshotOrRelease shows us
>> creating symbolic links for both the zips and the signatures. Again, I'm
>> confused.
> I'm all for keeping things simple. If current wisdom says don't use
> symlinks, I don't think anyone will object to simply removing the
> -current- symlinks in our dist directory.
> As for signatures, all links to signature files (*.asc), e.g. on the
> download page on the website, should point back to
> http://www.apache.org/dist. Signatures should always be picked up from
> an Apache machine so that we have oversight over their authenticity.
> PGP signatures or MD5 checksums from a machine outside of the
> oversight of the Apache community should not be trusted.
> I believe PGP signatures are currently synced to non-Apache machines,
> because PGP sigs have not been proven to have been cracked in any way.
> But, it seems convential wisdom, along with the very small download
> size of the PGP signatures, suggests that the security benefit of
> serving the PGP signatures from an Apache machine outweighs the
> bandwidth usage to Apache.
> So, remove the -current- symlinks (and the corresponding instructions
> from the release page). When creating the download page, use the
> mirror.cgi form template to allow picking up the release distribution
> archives from the mirrors, but leave the signature links for the PGP
> and MD5 signatures pointing at the real files in
> http://www.apache.org/dist/db/derby/{version}/*.(asc|md5)
> Also, with the release of imminent, it's time we move our
> older releases of 10.1 to the archive. That's not something that you
> need to be concerned about with releasing 10.2, but as a community, we
> need to make sure our older releases are properly archived and that we
> don't unnecessarily consume resources on the Apache mirrors. I'll be
> glad to help out with archiving the older releases.

Thanks, Andrew. Right now, we have 4 active releases under 

I'm guessing you want to archive one or more of the older ones. I will 
need your help here. The archiving instructions at 
http://www.apache.org/dev/mirror-step-by-step.html#archive-old seem to 
be a little out of date. I got wedged on step (2) since I can't find 
/www/derby.apache.org or /www/db.apache.org/derby/builds.


> Let me know if you have any questions. If I missed something,
> hopefully someone more knowledgeable will speak up.
> andrew

View raw message