From: "jean-frederic clere" <[EMAIL PROTECTED]>
Tetsuya Kitahata wrote:
On Tue, 07 Oct 2003 13:49:39 +0200 Remy Maucherat <[EMAIL PROTECTED]> wrote:
There is no guarantee that the binaries d/led are not corrupted on your random mirror, or haven't been tampered with, or if the mirror is available at all.
This is for the build process, so mirrors are not a good solution.
If so, archive.apache.org would be better? (Seems that it would be against the policy of infrastructure team, though)
Yes. The download task is used to build the Tomcat, so we must be sure that the
files
we use to build it are reliable. Using archive.apache.org would allow us
to
build old versions of Tomcat: this is interesting for bug fixing.
Doesn't this mean that anyone who tries to build Tomcat from source using the download task will not use the mirrors? If apache doesn't trust downloading from mirrors how would you expect users to trust them?
I guess a user would be willing to manually check the keys of one binary download, but would not be likely to check the keys of multiple downloads. Maybe a solution similar to what the BSD porting systems use would be a possible solution to the trust issue. They automatically download AND check the keys of the files.
Right but how could I check the keys in ant?
-Kurt
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
