tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Claassen <>
Subject RE: Binary build procedures
Date Tue, 23 May 2006 15:02:49 GMT
Thanks for all the information.  To paraphrase what you are saying, the
sources and binary distros are tightly controlled.  The binary builds (for
the whole Apache Foundation) are created and maintained with security in
mind by people who know what they are doing.
-----Original Message-----
From: [] On Behalf Of Yoav
Sent: Tuesday, May 23, 2006 10:53 AM
To: Tomcat Developers List
Subject: Re: Binary build procedures

The binary distributions are handled with the same security precautions as
the source ones.  Each distribution file is accompanied by its MD5 checksum
and is PGP-signed by the release manager.

The MD5 checksums, PGP signatures, and KEYS files (available with the distro
as well as on the main download pages) are all unmirrored, residing only on
the original servers.  So in addition to the security granted by
MD5 and PGP, someone would have to hack and modify those very
files in order to get you to trust the release.  I'm not aware of that ever
happening in the past.

Besides noting that the security for source distros (which you already
trust) are the same as binary distros, I'd further note that these
procedures are standard across the Foundation (i.e. Tomcat doesn't do
anything special here), and as such have been devised, verified, and are
monitored by a number of folks who know a whole lot more than I do about
distro integrity.

Finally, if you still don't trust binaries but do trust sources, you always
have the option of grabbing the latter distro and building the binary
yourself ;)


On 5/23/06, Mark Claassen <> wrote:
> My boss has implemented some new procedures with regard to open source 
> projects.  He believes the source distributions are trustworthy, but 
> he is not sure if he trusts the binary distributions.  I think the 
> reasoning is that he is uncertain if the binary distributions are 
> controlled as well as the source ones are.  And if they are not, 
> someone could inject some malicious code to expose customer data or
> Can someone give me a brief explanation on how the binary 
> distributions are created for 5.5?  Are the binary distributions 
> created automatically from the repository, leaving no chance for nefarious
> Thanks,
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: For 
> additional commands, e-mail:

Yoav Shapira
Nimalex LLC
1 Mifflin Place, Suite 310
Cambridge, MA, USA /

To unsubscribe, e-mail: For additional
commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message