On 25 January 2018 at 09:14, Henk P. Penning <penn...@uu.nl> wrote: > On Wed, 24 Jan 2018, sebb wrote: > >> Date: Wed, 24 Jan 2018 17:13:14 +0100 >> From: sebb <seb...@gmail.com> >> To: dev@community.apache.org >> Subject: Feedback on dist health checker (was: [jira] [Commented] >> (COMDEV-248) >> add /dist/ health issues) > > > Re: https://reporter.apache.org/ > >> I think the Dist checker section should always be present otherwise >> one does not know if it has been run or not. It should perhaps say >> something like: all files have valid sigs and hashes OR no release >> files found (e.g. Whimsy). > > > Curcuru wanted "no section if no errors" ; and I agree. > I could always add a section if the data is stale (> 4 hours). > At the moment, stale data is flagged (in red) only if errors > 0.
I'm not suggesting a new section; I think a single line would do for the OK cases. >> Since the checks relate to releases, perhaps the information should be >> presented in the Releases section rather than separately. > > > I've moved the Checker section up to just below releases. > >> Also it appears that the checker does not check if the KEYS file is >> present nor if it contains the required keys. > > > Frankly, I think KEYS files are a bad idea, and must be abandonned. That has yet to be agreed, and all the documentation says to use the KEYS file. It would be a big change to websites to fix that. > There are 285 KEYS files, and almost all of them are not up-to-date, > and therefor give a false picture of the world. If they are not up to date, then they need to be fixed. > KEYS files aren't necessary to verify a download ; see > https://checker.apache.org/dist/verify.html That uses the SHA-1 hash which is known to be insecure. It may only be easy to forge for PDFs and images at present, but that will change. > For example [good and bad] : > > https://checker.apache.org/sums/b210887198f38bd3ab3dd4f38f056d0143afcf38.html > > https://checker.apache.org/sums/8347323be17d484be69b9fb094bf110993c66c39.html It's not immediately obvious that the download is bad, nor what to do about it. > Or [with a 'verify' section] : > > https://checker.apache.org/sums/4a23503e9c272eed58c86046a8da737866cd1aff.html No idea why some of those have a verify section and some not. Whilst the info is useful for some, there's far too much info for the average downloader to take in and it's not immediately obvious whether the download is OK or not. Nor what to do if there is a problem. >> The Aries errors (sig expired) are caused by a very old release. >> It looks like they have not published any recent releases to dist. >> Maybe the tool could check the dist contents against the releases >> database. > > > Aries must fix the problem. The signer has lost her key, > but, since the .asc's are cryptographically ok, replacing > the sigs isn't a problem. In this case they need to replace the artifacts with the latest release(s), not replace the sigs. > Thanks, regards, > > HPP > > ------------------------------------------------------------ _ > Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ > Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ > Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/ > http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
