xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Leung" <twle...@sauria.com>
Subject Re: Checksum for downloaded files
Date Thu, 29 Mar 2001 19:20:32 GMT
Thanks for bringing this to our attention.

For some of the XML projects, we have been PGP signing the
binaries - this includes Xerces, Xalan, but not all the projects are doing
this.    It appears that not all the Jakarta projects are doing this either,
since neither Ant, log4J, JMeter, James or Tomcat have .md5's. Perhaps
it would be in *both* project's interests to provide either a .md5 or PGP
signature for *all* their release binaries.  It would be even better if both
projects adopted the same thing, to reduce user confusion.

In the future, please send messages like this to general@xml.apache.org.



----- Original Message -----
From: "Jon Stevens" <jon@latchkey.com>
To: "Tom Gryder" <twg@mitre.org>
Cc: <pmc@xml.apache.org>
Sent: Thursday, March 29, 2001 10:54 AM
Subject: Re: Checksum for downloaded files

> on 3/29/01 10:38 AM, "Tom Gryder" <twg@mitre.org> wrote:
> > Jon,
> > Sorry I made a mistake and sent you the wrong link, but I still have the
> > basic question.  Does Apache maintain a checksum or some type of
security to
> > assure people that what is download is unaltered from what Apache put on
> > web?
> > The site I downloaded from was:
> > http://xml.apache.org/dist/xerces-j/
> > The file was:
> > Xerces-J-bin.1.0.0.zip
> It a project by project decision to implement this.
> On the projects that I deal with, there is always a corresponding .md5
> @see <http://jakarta.apache.org/builds/jakarta-velocity/release/v1.0b2/>
> It seems that the XML Project's don't care enough about this. I have CC'd
> the xml.apache.org PMC in order to hopefully gain their attention enough
> care about this issue.
> In the end though, if you feel the need to question the source code
> validity, you can always check out the tagged CVS code and compare that
> the code in the download. However, I do agree, the XML Project's should
> this easier by providing a .md5 file.
> Lastly, even with the .md5 file, that doesn't guarantee anything really.
> server could still be hacked, a new .md5 file could be uploaded along with
> new .tar.gz/.zip. The real solution is to mirror the .md5 files to a
> separate trusted entity however, we have not employed anything as such as
> this hasn't been a requirement.
> thanks,
> -jon

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message