incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: [RELEASE]: download page on the AOO project webpage
Date Fri, 04 May 2012 17:14:24 GMT
On Fri, May 4, 2012 at 1:02 PM, Roberto Galoppini <rgaloppini@geek.net> wrote:
> On Fri, May 4, 2012 at 6:55 PM, Rob Weir <robweir@apache.org> wrote:
>> On Fri, May 4, 2012 at 12:47 PM, Dave Fisher <dave2wave@comcast.net> wrote:
>>>
>>> On May 4, 2012, at 9:40 AM, Rob Weir wrote:
>>>
>>>> On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia <fcassia@gmail.com>
wrote:
>>>>> On Fri, May 4, 2012 at 12:46 PM, Dave Fisher <dave2wave@comcast.net>
wrote:
>>>>>
>>>>>> I think we should offer mappings and have this page definitely download
>>>>>> via the Apache mirrors. I know what to do to make this work with
the Apache
>>>>>> mirror cgi.
>>>>>
>>>>>
>>>>> I think I had read somewhere about Apache choosing to use SourceForge's
>>>>> network of mirrors around the world for distribution?
>>>>>
>>>
>>> That is correct for the www.openoffice.org/download/ main download page.
>>>
>>> The legacy 3.3 binaries should continue to be available from the MirrorBrain
network.
>>>
>>> A portion of the Apache Mirrors will also seed AOO. The page being discussed
here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through
the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use
those as well.
>>>
>>
>> No. no. no.  We're trying to reduce the number of places where
>> download logic lives.  If we have a download link for AOO on the
>> incubator page it should just point to the download.openoffice.org.
>
> My understanding from past conversations on the binaries topic is that
> we'll have SourceForge serving binaries, and MirrorBrain serving
> updates. This will make easy to track downloads and have meaningful
> stats.
>

And Apache mirrors serving source code tarbars and SDK downloads.

And Apache /dist serving the hashes for verification

Does anyone object to that as the plan?

-Rob


> Roberto
>
>
>>>> A distribution consists of several pieces:
>>>>
>>>> 1) The binaries, i.e., the install images.  These are served up via SourceForge
>>>>
>>>> 2) The source tarballs -- These could go out via Apache mirror network
>>>> if we want.  Or SourceForge.  Is will be very low volume in either
>>>> case.
>>>
>>> I'm for doing Source and SDK on the Apache Mirrors.
>>>
>>>>
>>>> 3) The detached signatures and hashes,  For these we must link our
>>>> page to the Apache copies on /dist.  This is an essential part of the
>>>> verification model.  This is how the user is protected against a rogue
>>>> mirror operator or a "man-in-the-middle" attack,  They can always
>>>> verify their download against the authoritative hashes and signature
>>>> on the Apache server.
>>>
>>> This is a key point and should probably be a separate thread.
>>>
>>> Regards,
>>> Dave
>>>
>>>
>>>
>>>>
>>>> -Rob
>>>>
>>>>> FC
>>>>> --
>>>>> During times of Universal Deceit, telling the truth becomes a revolutionary
>>>>> act
>>>>> Durante épocas de Engaño Universal, decir la verdad se convierte en
un Acto
>>>>> Revolucionario
>>>>> - George Orwell
>>>
>
> --
> ====
> This e- mail message is intended only for the named recipient(s) above. It
> may contain confidential and privileged information. If you are not the
> intended recipient you are hereby notified that any dissemination,
> distribution or copying of this e-mail and any attachment(s) is strictly
> prohibited. If you have received this e-mail in error, please immediately
> notify the sender by replying to this e-mail and delete the message and any
> attachment(s) from your system. Thank you.
>

Mime
View raw message