flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: [MENTOR] and PPMC members: info page about binaries
Date Tue, 11 Sep 2012 08:36:02 GMT
On Mon, Sep 10, 2012 at 11:55 PM, Erik de Bruin <erik@ixsoftware.nl> wrote:
> ...I'm thinking that even though binaries are not official Apache Flex
> releases (http://incubator.apache.org/flex/about-binaries.html, thanks
> Bertrand), people will still 'trust' them more if they are actually
> hosted on an Apache mirror then on a random site....

That would be a big mistake...Apache mirrors are not controlled by the
ASF, they're a loosely-coupled network where in theory (before being
caught) someone could easily mess with whatever files people download.

The only way to validate a downloaded file is to check its signature
and/or digest against data obtained from trusted sources.


View raw message