spark-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Wendell <pwend...@gmail.com>
Subject Re: Spark 0.8.0: bits need to come from ASF infrastructure
Date Wed, 25 Sep 2013 23:08:42 GMT
Yep, we definitely need to just directly point people the location at
apache.org where they can find the hashes. I just updated the release
notes and downloads page to point to that site.

I just wanted to point out that mirroring these through a CDN seems
philosophically the same as mirroring through Apache, since in neither
case do we expect the users to trust the artifact they download. We
just need to be more explicit that we are, indeed, mirroring and
explain that the trusted root is at apache.org

- Patrick

On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <rvs@apache.org> wrote:
> On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell <pwendell@gmail.com> wrote:
>> Hey we've actually distributed our artifacts through amazon cloudfront
>> in the past (and that is where the website links redirect to).
>>
>> Since the apache mirrors don't distribute signatures anyways,
>
> True, but apache dist does. IOW, it is not uncommon for those
> having an automated build/fetching systems to get bits from
> one of the mirrors and then get the hashes directly from dist.
>
> In your current case, I don't think I know of a way to do that.
>
> Now, you may say that the current CDN you guys are you using
> is functioning like a mirror -- well, I'd say that it needs to be
> called out like one then.
>
> Otherwise, as a naive user I *really* have to guess where
> to get the hashes.
>
>> what is the difference between linking to an apache mirror vs using a more
>> robust CDN? If people want to verify the downloads they need to go to
>> the apache root in either case.
>>
>> Is this just a cultural thing or is there some security reason?
>
> A bit of both I guess.
>
> Thanks,
> Roman.

Mime
View raw message