tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kurt Miller <t...@optonline.net>
Subject Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
Date Wed, 08 Oct 2003 13:37:50 GMT
From: "jean-frederic clere" <jfrederic.clere@fujitsu-siemens.com>
> Tetsuya Kitahata wrote:
> > On Tue, 07 Oct 2003 13:49:39 +0200
> > Remy Maucherat <remm@apache.org> wrote:
> >
> >
> >>There is no guarantee that the binaries d/led are not corrupted on your
> >>random mirror, or haven't been tampered with, or if the mirror is
> >>available at all.
> >
> >
> >>This is for the build process, so mirrors are not a good solution.
> >
> >
> > If so, archive.apache.org would be better?
> > (Seems that it would be against the policy of
> > infrastructure team, though)
>
> Yes.
> The download task is used to build the Tomcat, so we must be sure that the
files
> we use to build it are reliable. Using archive.apache.org would allow us
to
> build old versions of Tomcat: this is interesting for bug fixing.
>

Doesn't this mean that anyone who tries to build Tomcat from source using
the download task will not use the mirrors? If apache doesn't trust
downloading from mirrors how would you expect users to trust them?

I guess a user would be willing to manually check the keys of one binary
download, but would not be likely to check the keys of multiple downloads.
Maybe a solution similar to what the BSD porting systems use would be a
possible solution to the trust issue. They automatically download AND check
the keys of the files.

-Kurt


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message