From depot-dev-return-75-apmail-incubator-depot-dev-archive=incubator.apache.org@incubator.apache.org Wed Feb 11 17:14:10 2004 Return-Path: Delivered-To: apmail-incubator-depot-dev-archive@www.apache.org Received: (qmail 99476 invoked from network); 11 Feb 2004 17:14:10 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 11 Feb 2004 17:14:10 -0000 Received: (qmail 6536 invoked by uid 500); 11 Feb 2004 17:13:39 -0000 Delivered-To: apmail-incubator-depot-dev-archive@incubator.apache.org Received: (qmail 6468 invoked by uid 500); 11 Feb 2004 17:13:39 -0000 Mailing-List: contact depot-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Delivered-To: mailing list depot-dev@incubator.apache.org Received: (qmail 6389 invoked from network); 11 Feb 2004 17:13:38 -0000 Received: from unknown (HELO mail.gmx.net) (213.165.64.20) by daedalus.apache.org with SMTP; 11 Feb 2004 17:13:38 -0000 Received: (qmail 29345 invoked by uid 0); 11 Feb 2004 17:13:40 -0000 Received: from 213.68.175.171 by www24.gmx.net with HTTP; Wed, 11 Feb 2004 18:13:40 +0100 (MET) Date: Wed, 11 Feb 2004 18:13:40 +0100 (MET) From: "Markus M. May" To: depot-dev@incubator.apache.org MIME-Version: 1.0 References: <104001c3f0c0$24d45c70$ed71eb43@tsws1> Subject: Re: MD5 and Mirrors ( was Re: MD5 Hash ) X-Priority: 3 (Normal) X-Authenticated: #450643 Message-ID: <9621.1076519620@www24.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Adam is perfectly right about this stuff. There is one more thing we need to think about. Some repositories treat md5-files different. The structure on apache.org is [filename - MD5 Hash]. But on ibiblio (maven-repository) it is just [MD5 Hash]. So this needs to be somehow configurable. One more thing to think about :-) > Nick wrote: > > > The MD5 should always come from the authoritative source (apache.org) > > using https. > > I'm not sure if all environments (JVMs) have HTTPS available. In a > somewhat > perfect world we'd try HTTPS and if it failed try HTTP, unless some > 'minimum > security' was requested. > > I think we'll have to experiment and experince this area over > time/iterations. > > > How are we going to know what the "authoritative" source for a resource > > is. > > For java we could enforce a reverse domain name. > > Four things: > > 1) Repository URI/URL is what it is (whatever it is) and the URL for the > MD5 > ought be the URL for the resources plus ".md5" on the end. > > 2) As current Ruper thinking (coding) goes ... Mirrors ought mirror the > hierarchy, so wherever a resource is in the repo, the .md5 ought be next > to > it, and the original .md5 ought be in exactly the same relative position > (just relative to an apache root). > > 3) Mirroring is kinda hacked into Ruper right now, it silently moves the > root of a repository (originally set relative to the mirror locator CGI > script) to one such mirror. As such Ruper doesn't really know about > mirrors. > > 4) We probably need to rethink current thinking... ;-) > > regards, > > Adam >