Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: pass (asf.osuosl.org: local policy)
Date: Tue, 23 May 2006 11:02:49 -0400
From: Mark Claassen <mclaassen@ocie.net>
Subject: RE: Binary build procedures
In-reply-to: <db94f1a0605230752n3db8f811v6d71e716a05ff1b6@mail.gmail.com>
To: 'Tomcat Developers List' <dev@tomcat.apache.org>
Message-id: <002201c67e79$f4fa1310$19c909c0@K9>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Thread-index: AcZ+eLOKK6b6ii45SsqDF6ljjgr8VwAAGvXw

Thanks for all the information.  To paraphrase what you are saying, the
sources and binary distros are tightly controlled.  The binary builds (for
the whole Apache Foundation) are created and maintained with security in
mind by people who know what they are doing.
 
-----Original Message-----
From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf Of Yoav
Shapira
Sent: Tuesday, May 23, 2006 10:53 AM
To: Tomcat Developers List
Subject: Re: Binary build procedures

Mark,
The binary distributions are handled with the same security precautions as
the source ones.  Each distribution file is accompanied by its MD5 checksum
and is PGP-signed by the release manager.

The MD5 checksums, PGP signatures, and KEYS files (available with the distro
as well as on the main download pages) are all unmirrored, residing only on
the original apache.org servers.  So in addition to the security granted by
MD5 and PGP, someone would have to hack apache.org and modify those very
files in order to get you to trust the release.  I'm not aware of that ever
happening in the past.

Besides noting that the security for source distros (which you already
trust) are the same as binary distros, I'd further note that these
procedures are standard across the Foundation (i.e. Tomcat doesn't do
anything special here), and as such have been devised, verified, and are
monitored by a number of folks who know a whole lot more than I do about
distro integrity.

Finally, if you still don't trust binaries but do trust sources, you always
have the option of grabbing the latter distro and building the binary
yourself ;)

Yoav

On 5/23/06, Mark Claassen <mclaassen@ocie.net> wrote:
>
> My boss has implemented some new procedures with regard to open source 
> projects.  He believes the source distributions are trustworthy, but 
> he is not sure if he trusts the binary distributions.  I think the 
> reasoning is that he is uncertain if the binary distributions are 
> controlled as well as the source ones are.  And if they are not, 
> someone could inject some malicious code to expose customer data or
something.
>
> Can someone give me a brief explanation on how the binary 
> distributions are created for 5.5?  Are the binary distributions 
> created automatically from the repository, leaving no chance for nefarious
tampering?
>
> Thanks,
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>


--
Yoav Shapira
Nimalex LLC
1 Mifflin Place, Suite 310
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org