Return-Path: Delivered-To: apmail-repository-archive@www.apache.org Received: (qmail 93555 invoked from network); 15 Mar 2005 14:52:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 15 Mar 2005 14:52:06 -0000 Received: (qmail 83812 invoked by uid 500); 15 Mar 2005 14:52:05 -0000 Delivered-To: apmail-repository-archive@apache.org Received: (qmail 83753 invoked by uid 500); 15 Mar 2005 14:52:04 -0000 Mailing-List: contact repository-help@apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: repository@apache.org Delivered-To: mailing list repository@apache.org Received: (qmail 83739 invoked by uid 99); 15 Mar 2005 14:52:04 -0000 X-ASF-Spam-Status: No, hits=0.4 required=10.0 tests=DNS_FROM_RFC_ABUSE,RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of mdiggory@gmail.com designates 64.233.184.199 as permitted sender) Received: from wproxy.gmail.com (HELO wproxy.gmail.com) (64.233.184.199) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 15 Mar 2005 06:52:03 -0800 Received: by wproxy.gmail.com with SMTP id 58so9461wri for ; Tue, 15 Mar 2005 06:51:57 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=uB5jpXeEyeNqMQHoMNYIIwQSPwOS9tSY5FpcHRrHvk3+H6uD/erJTJtfJRqCH9/sx7mhgxDBTl1r5fO9qF5GpIP2l6k8wEZeT9iGf+LRmgAKP5Hv2gpPtSgZF5/cYwrcSlbK7HtGF4TqPDA0qUQQmuKeFcMxeGghVJNpUukChN4= Received: by 10.38.70.18 with SMTP id s18mr689943rna; Tue, 15 Mar 2005 06:51:56 -0800 (PST) Received: from ?192.168.1.3? ([207.172.79.43]) by mx.gmail.com with ESMTP id 71sm103540rna.2005.03.15.06.51.56; Tue, 15 Mar 2005 06:51:56 -0800 (PST) Message-ID: <4236F68A.3000905@gmail.com> Date: Tue, 15 Mar 2005 09:51:54 -0500 From: Mark Diggory User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: repository@apache.org Subject: Re: security, hashing. References: <853ac4f40503150632263b70ad@mail.gmail.com> In-Reply-To: <853ac4f40503150632263b70ad@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Russell Gold wrote: >On Thu, 10 Mar 2005 20:11:20 +0000, Steve Loughran > wrote: > > >>The disadvantages >> -no obvious 'latest version' in the repository >> -harder to field support calls, "what is the hash of your artifacts"? >> >> > >Not to mention, really complicating the job of upgrading to new versions. > >Is there a danger here of solving the 1% case at the expense of the 99% case? > > > axis-0.0.1-04f3d5aab0.jar then you have the version and the hash... Think of the hash as similar "alpha", "beta" or "rcN" identifiers (isn't it really? Your just identifying this particular "packaging" of axis-0.0.1.). But then again, this starts to get into the arena of Jar Signing, and there already is facility for that in Jar Artifacts... -Mark Diggory