tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Claassen <>
Subject RE: Binary build procedures
Date Tue, 23 May 2006 20:54:59 GMT
Thanks for your help.  I am convinced, however I am not the one that needs
convincing.  Do you have any idea if other companies trust the binary
builds?  (Is this 'paranoia' unique to my company?)

So I have all my ducks in a row, I have been looking into the src and binary
distros a bit further, I noticed the tomcat-native library is included as
source in the binary distro as a tar.gz file.  Is this a necessary component
of Tomcat?  What is it for?  The only platform specific files I found in the
binary distro were the scripts and the Windows startup executable.

-----Original Message-----
From: Tim Funk [] 
Sent: Tuesday, May 23, 2006 11:09 AM
To: Tomcat Developers List
Subject: Re: Binary build procedures

The release manager  (RM)
- creates a binary from his copy of source.
- Generates a checksum key to allow validation of no tampering of the RM's

The RM could insert malicious code into the build. If that were to happen -
the RM would probably be kicked out of the project in a hurry.

Its not valid to trust a source release download either. Its easy to tamper
with the source just as it is the binary. But having the source at this
point does allow for easy audits.

If you are really paranoid - build your binary from the appropriate TAG
would be safest since you are getting the original source - not repackaged


Mark Claassen wrote:
> My boss has implemented some new procedures with regard to open source 
> projects.  He believes the source distributions are trustworthy, but 
> he is not sure if he trusts the binary distributions.  I think the 
> reasoning is that he is uncertain if the binary distributions are 
> controlled as well as the source ones are.  And if they are not, 
> someone could inject some malicious code to expose customer data or
> Can someone give me a brief explanation on how the binary 
> distributions are created for 5.5?  Are the binary distributions 
> created automatically from the repository, leaving no chance for nefarious

To unsubscribe, e-mail: For additional
commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message