On 10/4/06, Rick Hillegas <[EMAIL PROTECTED]> wrote:
2) Step (9) at http://www.apache.org/dev/mirror-step-by-step.html warns against using symbolic links in mirrored directories. But step (17) at http://wiki.apache.org/db-derby/DerbySnapshotOrRelease seems to indicate that we do use symbolic links on our mirrored directory. Furthermore, symbolic links are required by the instructions at http://people.apache.org/~bodewig/mirror.html. I'm confused. 3) More about symbolic links. The instructions make a distinction between the distribution zips and their signatures. I'm told to link the zips but not the signatures (see http://www.apache.org/dev/release-download-pages.html). However, step (17) at http://wiki.apache.org/db-derby/DerbySnapshotOrRelease shows us creating symbolic links for both the zips and the signatures. Again, I'm confused.
I'm all for keeping things simple. If current wisdom says don't use symlinks, I don't think anyone will object to simply removing the -current- symlinks in our dist directory. As for signatures, all links to signature files (*.asc), e.g. on the download page on the website, should point back to http://www.apache.org/dist. Signatures should always be picked up from an Apache machine so that we have oversight over their authenticity. PGP signatures or MD5 checksums from a machine outside of the oversight of the Apache community should not be trusted. I believe PGP signatures are currently synced to non-Apache machines, because PGP sigs have not been proven to have been cracked in any way. But, it seems convential wisdom, along with the very small download size of the PGP signatures, suggests that the security benefit of serving the PGP signatures from an Apache machine outweighs the bandwidth usage to Apache. So, remove the -current- symlinks (and the corresponding instructions from the release page). When creating the download page, use the mirror.cgi form template to allow picking up the release distribution archives from the mirrors, but leave the signature links for the PGP and MD5 signatures pointing at the real files in http://www.apache.org/dist/db/derby/{version}/*.(asc|md5) Also, with the release of 10.2.1.6 imminent, it's time we move our older releases of 10.1 to the archive. That's not something that you need to be concerned about with releasing 10.2, but as a community, we need to make sure our older releases are properly archived and that we don't unnecessarily consume resources on the Apache mirrors. I'll be glad to help out with archiving the older releases. Let me know if you have any questions. If I missed something, hopefully someone more knowledgeable will speak up. andrew
