incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: [RELEASE]: download page on the AOO project webpage
Date Sat, 05 May 2012 00:02:48 GMT

On May 4, 2012, at 4:16 PM, Andrea Pescetti wrote:

> On 04/05/2012 Rob Weir wrote:
>> And Apache /dist serving the hashes for verification
> 
> This is surely OK, but the project policy at OpenOffice.org was to additionally send
an e-mail to a public list (it would be ooo-dev with the current settings) with all checksums.
While it may sound odd, it makes sense since the list is publicly archived in several places,
so if the website is hacked (or simply if its revision history is lost due to migration, like
it recently happened for openoffice.org) it is always possible to verify that an OpenOffice
download is genuine.

The ASF works very hard at protecting the integrity of /dist. It should be considered safe.

Both /dist and the site are in svn. As long as the project is keeping an eye on commit logs
we can be pretty sure to catch any bad changes through a committer id.

Multiples that are the same distributed all over are good too. The mirrors serve that purpose.

Best would be digitally signed packages. If you watch Foundation lists, you'll know that such
signing is being discussed. WIth that this business of checksums goes away.

But nothing wrong with email.

Regards,
Dave

> 
> Regards,
>  Andrea.


Mime
View raw message