Return-Path: 
 <general-return-19692-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-general-archive@www.apache.org
Received: (qmail 64775 invoked from network); 19 Sep 2008 13:13:30 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 19 Sep 2008 13:13:30 -0000
Received: (qmail 75250 invoked by uid 500); 19 Sep 2008 13:13:25 -0000
Delivered-To: apmail-incubator-general-archive@incubator.apache.org
Received: (qmail 75109 invoked by uid 500); 19 Sep 2008 13:13:24 -0000
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@incubator.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@incubator.apache.org>
List-Post: <mailto:general@incubator.apache.org>
List-Id: <general.incubator.apache.org>
Reply-To: general@incubator.apache.org
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 75095 invoked by uid 99); 19 Sep 2008 13:13:24 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Sep 2008 06:13:24 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of chirino@gmail.com designates
 72.14.220.154 as permitted sender)
Received: from [72.14.220.154] (HELO fg-out-1718.google.com) (72.14.220.154)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Sep 2008 13:12:16 +0000
Received: by fg-out-1718.google.com with SMTP id l26so579794fgb.26
        for <general@incubator.apache.org>;
 Fri, 19 Sep 2008 06:12:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:sender
         :to:subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references
         :x-google-sender-auth;
        bh=UdWZrH9U1yxMNpVTA7iQTKdNQ5urAwOj99yk4Y75J2w=;
        b=PT6cmpI+IYOWjycZQcglQf4CS5WMMxt2GIn/VH3gFPP1nqD8mNksPwRObSz3fFnTdP
         D2kwlH0C7L7WCPH7Zk4lJd1Od3NV6V1N/Q0sS0mnY8q0BBzbkotCEZHq0kIZ0ehbmTDM
         +wrHKRhj7CKSKJ8Utd/X/REM2ogWDMbBcxOzg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:sender:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references:x-google-sender-auth;
        b=R1qfG0yAN3OopsXOdmjug4ghoUQx1q0eEjV78AB4yg3Wev2yL7GYqDdW/Mxu45DoqB
         2xjLDOpSUJHio/mwqPLHK0hH4WSOccCt4UOEi9sbBKxu0fRbYdBlbDWpST2jlO2dVntj
         8Jzv05RUc6kb7wJAzIjRe97tKaR4uc3PgXA+Y=
Received: by 10.187.183.15 with SMTP id k15mr2251fap.86.1221829950894;
        Fri, 19 Sep 2008 06:12:30 -0700 (PDT)
Received: by 10.187.167.12 with HTTP; Fri, 19 Sep 2008 06:12:30 -0700 (PDT)
Message-ID: <af2843cd0809190612l26a03571iad65544edd954372@mail.gmail.com>
Date: Fri, 19 Sep 2008 09:12:30 -0400
From: "Hiram Chirino" <hiram@hiramchirino.com>
Sender: chirino@gmail.com
To: general@incubator.apache.org
Subject: Re: status of PGP support in Maven
In-Reply-To: <14976D4F-CEEB-41D7-B1AE-1A703E14462B@SUN.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <9e3862d80809150702y7492812coa2f8f0f1deb42970@mail.gmail.com>
	 <1221697970.25066.26.camel@forge.local>
	 <14976D4F-CEEB-41D7-B1AE-1A703E14462B@SUN.com>
X-Google-Sender-Auth: a7b9d8b92d7fd608
X-Virus-Checked: Checked by ClamAV on apache.org

How about we include the signatures in the source distros?  That way
if you trust your source, then you can trust the dependencies it
downloads.

On Thu, Sep 18, 2008 at 12:22 PM, Craig L Russell <Craig.Russell@sun.com> wrote:
>
> On Sep 17, 2008, at 5:32 PM, Henning Schmiedehausen wrote:
>
>> The only way around that I can see right away in a heavily mirrored
>> system, is to pull the signatures (and probably even the checksums) from
>> central all the time. Which represents a single point of failure and a
>> non-scaling element.
>>
> I do understand the single point of failure, which means that if Apache
> central happens to be down, users cannot get to the signatures.
>
> But I don't see the scaling problem. I understand that to download an
> artifact that's more than 200 bytes, you really need mirrors to relieve the
> burden on Apache central. But I'd guess that our central server could handle
> a few hundred (thousand?) xxx.asc file downloads per minute, far in excess
> of the load.
>
> To me, the only place to store .asc files for all artifacts is in central.
> Not maven central, and not mirrors.
>
> Craig
>
> Craig L Russell
> Architect, Sun Java Enterprise System http://db.apache.org/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>
>



-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Open Source SOA
http://open.iona.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org