www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niclas Hedhman" <nic...@hedhman.org>
Subject Re: Summary
Date Fri, 03 Mar 2006 03:37:57 GMT
On 3/3/06, Noel J. Bergman <noel@devtech.com> wrote:
> > I think Brett has a point. Keep the md5 and/or sha1 for simple download
> > verification
> They are absolutely worthless if you download them from anywhere other
> than
> a trusted source, which excludes mirrors.
> This is why Henk P. Penning is pushing for us to stop distributing MD5s,
> and
> to require users to verify downloaded files against MD5s maintained here.
> See his message
> http://mail-archives.apache.org/mod_mbox/www-repository/200603.mbox/%3cPine
> .
> GSO.4.44.0603020038260.7085-100000@castor.cs.uu.nl%3e

People, can we agree that we are talking about two different things??

One side; We need authentication of the downloaded artifacts. Essential!

The other side; We want to be able to verify that the download succeeded and
was not corrupted.

We who wants the latter, still thinks that the former is excellent, but it
will take a while, and _meanwhile_ can we keep the checksum for downloads...


View raw message