On 5/23/06, Bernt M. Johnsen <[EMAIL PROTECTED]> wrote:
Simple (?) question. Why do we not sign snapshots that are made available on Derby's download page? The need for people to be sure that they download SW that is put there by a trusted person should be the same as for ordinary releases.
Because the snapshots are not served from the mirror, but from a trusted host at Apache, and could only be put there by a committer. Normally, serving downloads from an Apache host is frowned upon to save bandwidth and machine resources, but in this case should not be a problem, as we would expect the snapshots to see far, far less traffic than an official release. And in fact, the snapshots don't register on the top hits for *.apache.org, whereas people disregarding the mirrors and downloading the official release from http://www.apache.org/dist/ does show up on the list: http://people.apache.org/~henkp/analog/www/2006/04/ andrew
