Hi, > I'm talking about that file [1]. What kind of security issues do you > exactly see if I move that file on my server ?
Well if someone changed the paths in those files, our users could unwitting be made to download walware or other stuff. Risk is probably low but I have no details on the server this file is going on, for instance it it a dedicated server or one that contains shared hosts for instance. What other services are running on this server? How is the file uloaded/updated on that server? What security is in place to stop others modifying that file? If it located in Poland is that going to cause performance issues for people outside of Europe? What happens if the server falls overs can someone on the PMC restart it? Will the rest of the PMC have access to this server? Might be best to answer on the private list if you don’t want details about your server made public. Perhaps a better solution would be to host them on the Apache Flex website as currently we do for [1] which the installer gets. Is it too hard to have a http://flex.apache.org/installer/XXX/sdk-installer-config-4.0.xml, were XXX if the flex version number as well? Given the issue is only with 4.16.0 and 4.16.1that’s only two files we would need to host there. That way access and security are handled by ASF infrastructure and we don’t have to worry about them. Thanks, Justin 1. http://flex.apache.org/installer/sdk-installer-config-4.0.xml
