Andrew McIntyre wrote:
On 10/4/06, Rick Hillegas <[EMAIL PROTECTED]> wrote:
2) Step (9) at http://www.apache.org/dev/mirror-step-by-step.html warns
against using symbolic links in mirrored directories. But step (17) at
http://wiki.apache.org/db-derby/DerbySnapshotOrRelease seems to indicate
that we do use symbolic links on our mirrored directory. Furthermore,
symbolic links are required by the instructions at
http://people.apache.org/~bodewig/mirror.html. I'm confused.
3) More about symbolic links. The instructions make a distinction
between the distribution zips and their signatures. I'm told to link the
zips but not the signatures (see
http://www.apache.org/dev/release-download-pages.html). However, step
(17) at http://wiki.apache.org/db-derby/DerbySnapshotOrRelease shows us
creating symbolic links for both the zips and the signatures. Again, I'm
confused.
I'm all for keeping things simple. If current wisdom says don't use
symlinks, I don't think anyone will object to simply removing the
-current- symlinks in our dist directory.
As for signatures, all links to signature files (*.asc), e.g. on the
download page on the website, should point back to
http://www.apache.org/dist. Signatures should always be picked up from
an Apache machine so that we have oversight over their authenticity.
PGP signatures or MD5 checksums from a machine outside of the
oversight of the Apache community should not be trusted.
I believe PGP signatures are currently synced to non-Apache machines,
because PGP sigs have not been proven to have been cracked in any way.
But, it seems convential wisdom, along with the very small download
size of the PGP signatures, suggests that the security benefit of
serving the PGP signatures from an Apache machine outweighs the
bandwidth usage to Apache.
So, remove the -current- symlinks (and the corresponding instructions
from the release page). When creating the download page, use the
mirror.cgi form template to allow picking up the release distribution
archives from the mirrors, but leave the signature links for the PGP
and MD5 signatures pointing at the real files in
http://www.apache.org/dist/db/derby/{version}/*.(asc|md5)
Also, with the release of 10.2.1.6 imminent, it's time we move our
older releases of 10.1 to the archive. That's not something that you
need to be concerned about with releasing 10.2, but as a community, we
need to make sure our older releases are properly archived and that we
don't unnecessarily consume resources on the Apache mirrors. I'll be
glad to help out with archiving the older releases.
Thanks, Andrew. Right now, we have 4 active releases under
/www/www.apache.org/dist/db/derby:
10.1.1.0
10.1.2.1
10.1.3.1
10.2.1.6
I'm guessing you want to archive one or more of the older ones. I will
need your help here. The archiving instructions at
http://www.apache.org/dev/mirror-step-by-step.html#archive-old seem to
be a little out of date. I got wedged on step (2) since I can't find
/www/derby.apache.org or /www/db.apache.org/derby/builds.
Regards,
-Rick
Let me know if you have any questions. If I missed something,
hopefully someone more knowledgeable will speak up.
andrew
