incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik de Bruin <e...@ixsoftware.nl>
Subject Re: [MENTOR] and PPMC members: info page about binaries
Date Tue, 11 Sep 2012 08:48:44 GMT
>> ...I'm thinking that even though binaries are not official Apache Flex
>> releases (http://incubator.apache.org/flex/about-binaries.html, thanks
>> Bertrand), people will still 'trust' them more if they are actually
>> hosted on an Apache mirror then on a random site....
>
> That would be a big mistake...Apache mirrors are not controlled by the
> ASF, they're a loosely-coupled network where in theory (before being
> caught) someone could easily mess with whatever files people download.
>
> The only way to validate a downloaded file is to check its signature
> and/or digest against data obtained from trusted sources.

I understand the principle and agree on the theory behind it. However,
we want as many people using and advocating Apache Flex as possible.
However, in the real world, people will want to stay up to date with
the SDK but they can't/don't want to spend a lot of time and effort
getting the latest version from SVN and building from source. That's
what the convenience binaries are for, IMHO. Having those available
from the Apache 'network' (which for all intends and purposes the
mirrors act like) will make most people trust them implicitly (yes,
not a good idea, agreed, but certainly the way it works for most). I'm
sure this is true for any network that makes the binaries available
(e.g. Spoon), but since the name is APACHE Flex... I feel the best
place for them is with Apache, and have other
people/organisations/sites link to them by using the badge. This will
make sure the mirrors and not the direct apache.org location are used.

EdB



-- 
Ix Multimedia Software

Jan Luykenstraat 27
3521 VB Utrecht

T. 06-51952295
I. www.ixsoftware.nl

Mime
View raw message