incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <>
Subject Re: Shutdown of the "" host and its Mirrorbrain instance
Date Wed, 26 Oct 2011 08:46:06 GMT
On Tue, Oct 25, 2011 at 7:58 PM, Christian Lohmaier
<> wrote:
> Hi Robert, *,
> On Tue, Oct 25, 2011 at 5:05 PM, Robert Burrell Donkin
> <> wrote:
>> On Tue, Oct 25, 2011 at 1:38 PM, Christian Lohmaier
>> <> wrote:
>>> On Tue, Oct 25, 2011 at 2:15 PM, Robert Burrell Donkin
>>> <> wrote:


> If anyone were to be able to create
> convincing gpg singatures of Apache releases, then this...
>> Downloading the signature from a trusted server means that
>> such an attacker would need to replace an existing signature on secure
>> hardware without detection.
> is moot anyway, the lesser problem to be concerned about.

Every line of defence (weak or strong) that an attacker has to breach
gives more time for defends to respond

> And this btw. is not any different than to download the torrent via https.

Modulo client respect for certificates, yes

>>> So it is not a matter of infrastructure, but a matter of policy.
>> Where's the URL for this policy?
> I didn't mean to imply there was a set-in-stone policy already.

(Apache has quite a lot of nomenclature which is often confusing.
Policy is often used as shorthand for Apache policy.  Which is
reasonably set-in-stone.)

> What I meant was that it is up to the project to decide whether torrents are
> used or not, that the technical implementation of using torrents is so
> simple that apache infrastructure is not needed at all. You want
> torrents, you got torrents. You don't want them, you just don't use
> them.

For Apache releases, I think torrents would be do-able with a little
work (I think that seeds would need to be obtained from mirrors but
signatures from Apache)

For OOo legacy releases, my advice is just to show up and ask
Infrastructure to help solve your problem.


View raw message