Re: Feedback on dist health checker (was: [jira] [Commented] (COMDEV-248) add /dist/ health issues)

Thu, 25 Jan 2018 01:14:47 -0800 

On Wed, 24 Jan 2018, sebb wrote:


Date: Wed, 24 Jan 2018 17:13:14 +0100
From: sebb <seb...@gmail.com>
To: dev@community.apache.org
Subject: Feedback on dist health checker (was: [jira] [Commented] (COMDEV-248)
     add /dist/ health issues)


  Re: https://reporter.apache.org/


I think the Dist checker section should always be present otherwise
one does not know if it has been run or not. It should perhaps say
something like: all files have valid sigs and hashes OR no release
files found (e.g. Whimsy).


  Curcuru wanted "no section if no errors" ; and I agree.
  I could always add a section if the data is stale (> 4 hours).
  At the moment, stale data is flagged (in red) only if errors > 0.


Since the checks relate to releases, perhaps the information should be
presented in the Releases section rather than separately.


  I've moved the Checker section up to just below releases.


Also it appears that the checker does not check if the KEYS file is
present nor if it contains the required keys.


  Frankly, I think KEYS files are a bad idea, and must be abandonned.
  There are 285 KEYS files, and almost all of them are not up-to-date,
  and therefor give a false picture of the world.

  KEYS files aren't necessary to verify a download ; see
    https://checker.apache.org/dist/verify.html

  For example [good and bad] :
  https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf38.html
  https://checker.apache.org/sums/8347323be17d484be69b9fb094bf110993c66c39.html

  Or [with a 'verify' section] :
  https://checker.apache.org/sums/4a23503e9c272eed58c86046a8da737866cd1aff.html


The Aries errors (sig expired) are caused by a very old release.
It looks like they have not published any recent releases to dist.
Maybe the tool could check the dist contents against the releases database.


  Aries must fix the problem. The signer has lost her key,
  but, since the .asc's are cryptographically ok, replacing
  the sigs isn't a problem.

  Thanks, regards,

  HPP

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl     \_/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org























					Reply via email to