incubator-depot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam R. B. Jack" <aj...@trysybase.com>
Subject MD5 and Mirrors ( was Re: MD5 Hash )
Date Wed, 11 Feb 2004 16:57:20 GMT
Nick wrote:

> The MD5 should always come from the authoritative source (apache.org)
> using https.

I'm not sure if all environments (JVMs) have HTTPS available. In a somewhat
perfect world we'd try HTTPS and if it failed try HTTP, unless some 'minimum
security' was requested.

I think we'll have to experiment and experince this area over
time/iterations.

> How are we going to know what the "authoritative" source for a resource
> is.
> For java we could enforce a reverse domain name.

Four things:

1) Repository URI/URL is what it is (whatever it is) and the URL for the MD5
ought be the URL for the resources plus ".md5" on the end.

2) As current Ruper thinking (coding) goes ... Mirrors ought mirror the
hierarchy, so wherever a resource is in the repo, the .md5 ought be next to
it, and the original .md5 ought be in exactly the same relative position
(just relative to an apache root).

3) Mirroring is kinda hacked into Ruper right now, it silently moves the
root of a repository (originally set relative to the mirror locator CGI
script) to one such mirror. As such Ruper doesn't really know about mirrors.

4) We probably need to rethink current thinking... ;-)

regards,

Adam


Mime
View raw message