xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Gryder <...@mitre.org>
Subject Re: Checksum for downloaded files
Date Thu, 29 Mar 2001 20:53:37 GMT
Ted, Jon:
    Thanks for you help.  The comment below on PGP allowed me realize what 
I needed was on your "dist" directory.  What I needed was the "xxxx.sig" 
files for xerces and xalan.  Having never had to worry about this level of 
security I did not realize what they were.  I sent my security guy the info 
and now he just needs to verify the signatures.  Sorry for my lack of 
knowledge and thanks for your help, it is greatly appreciated.
At 11:20 AM 3/29/2001 -0800, Ted Leung wrote:
>Thanks for bringing this to our attention.
>For some of the XML projects, we have been PGP signing the
>binaries - this includes Xerces, Xalan, but not all the projects are doing
>this.    It appears that not all the Jakarta projects are doing this either,
>since neither Ant, log4J, JMeter, James or Tomcat have .md5's. Perhaps
>it would be in *both* project's interests to provide either a .md5 or PGP
>signature for *all* their release binaries.  It would be even better if both
>projects adopted the same thing, to reduce user confusion.
>In the future, please send messages like this to general@xml.apache.org.
>----- Original Message -----
>From: "Jon Stevens" <jon@latchkey.com>
>To: "Tom Gryder" <twg@mitre.org>
>Cc: <pmc@xml.apache.org>
>Sent: Thursday, March 29, 2001 10:54 AM
>Subject: Re: Checksum for downloaded files
> > on 3/29/01 10:38 AM, "Tom Gryder" <twg@mitre.org> wrote:
> >
> > > Jon,
> > > Sorry I made a mistake and sent you the wrong link, but I still have the
> > > basic question.  Does Apache maintain a checksum or some type of
>security to
> > > assure people that what is download is unaltered from what Apache put on
> > > web?
> > > The site I downloaded from was:
> > > http://xml.apache.org/dist/xerces-j/
> > > The file was:
> > > Xerces-J-bin.1.0.0.zip
> >
> > It a project by project decision to implement this.
> >
> > On the projects that I deal with, there is always a corresponding .md5
> >
> > @see <http://jakarta.apache.org/builds/jakarta-velocity/release/v1.0b2/>
> >
> > It seems that the XML Project's don't care enough about this. I have CC'd
> > the xml.apache.org PMC in order to hopefully gain their attention enough
> > care about this issue.
> >
> > In the end though, if you feel the need to question the source code
> > validity, you can always check out the tagged CVS code and compare that
> > the code in the download. However, I do agree, the XML Project's should
> > this easier by providing a .md5 file.
> >
> > Lastly, even with the .md5 file, that doesn't guarantee anything really.
> > server could still be hacked, a new .md5 file could be uploaded along with
> > new .tar.gz/.zip. The real solution is to mirror the .md5 files to a
> > separate trusted entity however, we have not employed anything as such as
> > this hasn't been a requirement.
> >
> > thanks,
> >
> > -jon
> >

View raw message