incubator-depot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Markus M. May" <m...@gmx.net>
Subject Re: MD5 and Mirrors ( was Re: MD5 Hash )
Date Wed, 11 Feb 2004 17:13:40 GMT
Adam is perfectly right about this stuff. There is one more thing we need to
think about. Some repositories treat md5-files different. The structure on
apache.org is [filename - MD5 Hash]. But on ibiblio (maven-repository) it is
just [MD5 Hash]. So this needs to be somehow configurable. 

One more thing to think about :-)

> Nick wrote:
> 
> > The MD5 should always come from the authoritative source (apache.org)
> > using https.
> 
> I'm not sure if all environments (JVMs) have HTTPS available. In a
> somewhat
> perfect world we'd try HTTPS and if it failed try HTTP, unless some
> 'minimum
> security' was requested.
> 
> I think we'll have to experiment and experince this area over
> time/iterations.
> 
> > How are we going to know what the "authoritative" source for a resource
> > is.
> > For java we could enforce a reverse domain name.
> 
> Four things:
> 
> 1) Repository URI/URL is what it is (whatever it is) and the URL for the
> MD5
> ought be the URL for the resources plus ".md5" on the end.
> 
> 2) As current Ruper thinking (coding) goes ... Mirrors ought mirror the
> hierarchy, so wherever a resource is in the repo, the .md5 ought be next
> to
> it, and the original .md5 ought be in exactly the same relative position
> (just relative to an apache root).
> 
> 3) Mirroring is kinda hacked into Ruper right now, it silently moves the
> root of a repository (originally set relative to the mirror locator CGI
> script) to one such mirror. As such Ruper doesn't really know about
> mirrors.
> 
> 4) We probably need to rethink current thinking... ;-)
> 
> regards,
> 
> Adam
> 


Mime
View raw message