xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Leung" <twle...@sauria.com>
Subject Re: Checksum for downloaded files
Date Thu, 29 Mar 2001 19:36:23 GMT
Cool.

And one more reason for me to be disappointed that I'm not
going to ApacheCon this year. :-(

Ted
----- Original Message -----
From: "Jon Stevens" <jon@latchkey.com>
To: "Ted Leung" <twleung@sauria.com>; "Tom Gryder" <twg@mitre.org>
Cc: <general@xml.apache.org>; <general@jakarta.apache.org>
Sent: Thursday, March 29, 2001 11:29 AM
Subject: Re: Checksum for downloaded files


> on 3/29/01 11:20 AM, "Ted Leung" <twleung@sauria.com> wrote:
>
> > For some of the XML projects, we have been PGP signing the
> > binaries - this includes Xerces, Xalan, but not all the projects are
doing
> > this.    It appears that not all the Jakarta projects are doing this
either,
> > since neither Ant, log4J, JMeter, James or Tomcat have .md5's.
>
> Like I said: all the projects that I'm directly involved with. :-) I
should
> qualify that to say: "all the projects that I am directly involved with
the
> releases of".
>
> > Perhaps
> > it would be in *both* project's interests to provide either a .md5 or
PGP
> > signature for *all* their release binaries.  It would be even better if
both
> > projects adopted the same thing, to reduce user confusion.
>
> PGP maybe (if someone signs the archive, that signature must be a
signature
> with a trust ring around it). So far, the XML/Jakarta projects do not have
a
> signature of that sort. Since we will be at ApacheCon in another few days,
I
> think running around and getting physical people to sign their key onto a
> "Jakarta" and "XML" key would be a good idea. I will see about doing that
> and will post another email announcing this intention later today.
>
> We can then sign all of our binaries with those keys.
>
> md5 yes (it doesn't need a signed trust ring, but does need to be mirrored
> in order to be tamper proof). since that won't happen anytime soon, the
> above PGP solution seems like a better idea.
>
> -jon
>
> --
> If you come from a Perl or PHP background, JSP is a way to take
> your pain to new levels. --Anonymous
> <http://jakarta.apache.org/velocity/ymtd/ymtd.html>
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail:     webmaster@xml.apache.org
> To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>


---------------------------------------------------------------------
In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org


Mime
View raw message