db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew McIntyre" <mcintyr...@gmail.com>
Subject Re: release endgame
Date Thu, 05 Oct 2006 06:44:47 GMT
On 10/4/06, Rick Hillegas <Richard.Hillegas@sun.com> wrote:
> 2) Step (9) at http://www.apache.org/dev/mirror-step-by-step.html warns
> against using symbolic links in mirrored directories. But step (17) at
> http://wiki.apache.org/db-derby/DerbySnapshotOrRelease seems to indicate
> that we do use symbolic links on our mirrored directory. Furthermore,
> symbolic links are required by the instructions at
> http://people.apache.org/~bodewig/mirror.html. I'm confused.
> 3) More about symbolic links. The instructions make a distinction
> between the distribution zips and their signatures. I'm told to link the
> zips but not the signatures (see
> http://www.apache.org/dev/release-download-pages.html). However, step
> (17) at http://wiki.apache.org/db-derby/DerbySnapshotOrRelease shows us
> creating symbolic links for both the zips and the signatures. Again, I'm
> confused.

I'm all for keeping things simple. If current wisdom says don't use
symlinks, I don't think anyone will object to simply removing the
-current- symlinks in our dist directory.

As for signatures, all links to signature files (*.asc), e.g. on the
download page on the website, should point back to
http://www.apache.org/dist. Signatures should always be picked up from
an Apache machine so that we have oversight over their authenticity.
PGP signatures or MD5 checksums from a machine outside of the
oversight of the Apache community should not be trusted.

I believe PGP signatures are currently synced to non-Apache machines,
because PGP sigs have not been proven to have been cracked in any way.
But, it seems convential wisdom, along with the very small download
size of the PGP signatures, suggests that the security benefit of
serving the PGP signatures from an Apache machine outweighs the
bandwidth usage to Apache.

So, remove the -current- symlinks (and the corresponding instructions
from the release page). When creating the download page, use the
mirror.cgi form template to allow picking up the release distribution
archives from the mirrors, but leave the signature links for the PGP
and MD5 signatures pointing at the real files in

Also, with the release of imminent, it's time we move our
older releases of 10.1 to the archive. That's not something that you
need to be concerned about with releasing 10.2, but as a community, we
need to make sure our older releases are properly archived and that we
don't unnecessarily consume resources on the Apache mirrors. I'll be
glad to help out with archiving the older releases.

Let me know if you have any questions. If I missed something,
hopefully someone more knowledgeable will speak up.


View raw message