MD5 checksum handling issue with Felix download pages/mirrors
-------------------------------------------------------------
Key: FELIX-726
URL: https://issues.apache.org/jira/browse/FELIX-726
Project: Felix
Issue Type: Bug
Environment: http://felix.apache.org/site/downloads.cgi
Reporter: Olaf Kock
Hi there,
I understand MD5 checksums as means to detect if the file that I've just
downloaded is a) complete and b) the one I expected to download. While I never
check a) unless I get an error unpacking, b) is very important.
As Apache is relying heavily on mirrors, I'd like to have to trust Apache but I
can't trust every mirror server. As the MD5 sums that are linked on the
download server point to the mirrors themselves, this is of no value. I'd
rather like them to point to the central Apache server. The few bytes for the
checksums shouldn't matter much.
Compromised mirrors would make it easy to exchange the downloaded file together
with their MD5 sum - this would be somewhat more difficult to discover than
getting the MD5 from an authoritative source.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
