www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <he...@cs.uu.nl>
Subject Re: Summary
Date Wed, 01 Mar 2006 23:47:17 GMT
On Thu, 2 Mar 2006, Brett Porter wrote:

> Date: Thu, 2 Mar 2006 10:29:31 +1100
> From: Brett Porter <brett.porter@gmail.com>
> To: repository@apache.org
> Subject: Re: Summary
>
> I haven't reviewed the rest of the email yet, but on this point, one
> of the others is needed for checking download integrity (its not a
> security mechanism at all).

  Hm, if everything is pgp signed, ASF can check that the files on
  www.apache.org are ok ; The ASF keeps a database mapping md5 -> file ;
  the download user computes the md5 of the downloaded file, and
  ask a secure ASF server which file has the computed md5.
  That's how my checker stuff works :

    http://people.apache.org/~henkp/cgi-bin/md5.cgi

  -- the release manager doesn't need to provide md5's, .md5's are obsolete
  -- currently .md5's are rsynced by the mirrors ; that's nonsense.

> On 3/2/06, Noel J. Bergman <noel@devtech.com> wrote:
> > > * jars must be: md5'd, sha1'd, pgp (.asc'd).
> >
> > Justification?  I only do PGP, nor do I see any need for anything else.
> >
> >         --- Noel

  HPP

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 251 3791 \_/ \_/
http://www.cs.uu.nl/staff/henkp.html          M penning@cs.uu.nl  \_/


Mime
View raw message