[
https://issues.apache.org/jira/browse/DERBY-2428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12479678
]
Andrew McIntyre commented on DERBY-2428:
----------------------------------------
whoops, somehow submitted that incomplete.
The release signing policy here:
http://www.apache.org/dev/release-signing.html#policy
says to create MD5s, but a quick look at the mirrors shows that the MD5
checksums are not mirrored. I believe this was due to security reasons - one
should not trust MD5s stored on a remote machine, since cracks in the MD5
algorithm were known. MD5s that were stored on Apache hardware could be
considered trusted, because the Apache hardware can be considered to be secure
and the MD5s stored there as authoritative.
As for the archives? I'm not sure if copying the MD5s over is the right thing
to do. Seems like it to me, but if so, then perhaps the archival mechanism
should be fixed to retain the MD5s as well.
> Move older releases from www.apache.org/dist/ to archive.apache.org/dist
> ------------------------------------------------------------------------
>
> Key: DERBY-2428
> URL: https://issues.apache.org/jira/browse/DERBY-2428
> Project: Derby
> Issue Type: Task
> Components: Web Site
> Affects Versions: 10.1.1.0, 10.1.2.1, 10.1.3.1
> Reporter: Jean T. Anderson
> Attachments: release-10.1.1.0.diff
>
>
> Derby releases are consuming much space on the Apache mirrors. It's time to
> update the older download pages to point to the archives, then remove them
> from www.apache.org/dist/ .
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
