Adam is perfectly right about this stuff. There is one more thing we need to think about. Some repositories treat md5-files different. The structure on apache.org is [filename - MD5 Hash]. But on ibiblio (maven-repository) it is just [MD5 Hash]. So this needs to be somehow configurable.
One more thing to think about :-) > Nick wrote: > > > The MD5 should always come from the authoritative source (apache.org) > > using https. > > I'm not sure if all environments (JVMs) have HTTPS available. In a > somewhat > perfect world we'd try HTTPS and if it failed try HTTP, unless some > 'minimum > security' was requested. > > I think we'll have to experiment and experince this area over > time/iterations. > > > How are we going to know what the "authoritative" source for a resource > > is. > > For java we could enforce a reverse domain name. > > Four things: > > 1) Repository URI/URL is what it is (whatever it is) and the URL for the > MD5 > ought be the URL for the resources plus ".md5" on the end. > > 2) As current Ruper thinking (coding) goes ... Mirrors ought mirror the > hierarchy, so wherever a resource is in the repo, the .md5 ought be next > to > it, and the original .md5 ought be in exactly the same relative position > (just relative to an apache root). > > 3) Mirroring is kinda hacked into Ruper right now, it silently moves the > root of a repository (originally set relative to the mirror locator CGI > script) to one such mirror. As such Ruper doesn't really know about > mirrors. > > 4) We probably need to rethink current thinking... ;-) > > regards, > > Adam >
