Return-Path: Delivered-To: apmail-xml-general-archive@xml.apache.org Received: (qmail 57067 invoked by uid 500); 29 Mar 2001 19:36:38 -0000 Mailing-List: contact general-help@xml.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: general@xml.apache.org Delivered-To: mailing list general@xml.apache.org Received: (qmail 57014 invoked from network); 29 Mar 2001 19:36:36 -0000 Message-ID: <011b01c0b887$89ef21e0$0a00a8c0@boo> From: "Ted Leung" To: "Tom Gryder" , Cc: , References: Subject: Re: Checksum for downloaded files Date: Thu, 29 Mar 2001 11:36:23 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N Cool. And one more reason for me to be disappointed that I'm not going to ApacheCon this year. :-( Ted ----- Original Message ----- From: "Jon Stevens" To: "Ted Leung" ; "Tom Gryder" Cc: ; Sent: Thursday, March 29, 2001 11:29 AM Subject: Re: Checksum for downloaded files > on 3/29/01 11:20 AM, "Ted Leung" wrote: > > > For some of the XML projects, we have been PGP signing the > > binaries - this includes Xerces, Xalan, but not all the projects are doing > > this. It appears that not all the Jakarta projects are doing this either, > > since neither Ant, log4J, JMeter, James or Tomcat have .md5's. > > Like I said: all the projects that I'm directly involved with. :-) I should > qualify that to say: "all the projects that I am directly involved with the > releases of". > > > Perhaps > > it would be in *both* project's interests to provide either a .md5 or PGP > > signature for *all* their release binaries. It would be even better if both > > projects adopted the same thing, to reduce user confusion. > > PGP maybe (if someone signs the archive, that signature must be a signature > with a trust ring around it). So far, the XML/Jakarta projects do not have a > signature of that sort. Since we will be at ApacheCon in another few days, I > think running around and getting physical people to sign their key onto a > "Jakarta" and "XML" key would be a good idea. I will see about doing that > and will post another email announcing this intention later today. > > We can then sign all of our binaries with those keys. > > md5 yes (it doesn't need a signed trust ring, but does need to be mirrored > in order to be tamper proof). since that won't happen anytime soon, the > above PGP solution seems like a better idea. > > -jon > > -- > If you come from a Perl or PHP background, JSP is a way to take > your pain to new levels. --Anonymous > > > > --------------------------------------------------------------------- > In case of troubles, e-mail: webmaster@xml.apache.org > To unsubscribe, e-mail: general-unsubscribe@xml.apache.org > For additional commands, e-mail: general-help@xml.apache.org > --------------------------------------------------------------------- In case of troubles, e-mail: webmaster@xml.apache.org To unsubscribe, e-mail: general-unsubscribe@xml.apache.org For additional commands, e-mail: general-help@xml.apache.org