No I'm not suggesting that. AFAIK it's only the config text file that Prior wants to host.
On Mon., 11 Jun. 2018, 8:47 am Alex Harui, <aha...@adobe.com.invalid> wrote: > Justin, > > Are you suggesting that we distribute a binary artifact from our project > website? Do other projects do that? > > -Alex > > On 6/10/18, 10:27 PM, "Justin Mclean" <jus...@classsoftware.com> wrote: > > Hi, > > > I'm talking about that file [1]. What kind of security issues do you > > exactly see if I move that file on my server ? > > Well if someone changed the paths in those files, our users could > unwitting be made to download walware or other stuff. Risk is probably low > but I have no details on the server this file is going on, for instance it > it a dedicated server or one that contains shared hosts for instance. What > other services are running on this server? How is the file uloaded/updated > on that server? What security is in place to stop others modifying that > file? If it located in Poland is that going to cause performance issues for > people outside of Europe? What happens if the server falls overs can > someone on the PMC restart it? Will the rest of the PMC have access to this > server? Might be best to answer on the private list if you don’t want > details about your server made public. > > Perhaps a better solution would be to host them on the Apache Flex > website as currently we do for [1] which the installer gets. Is it too hard > to have a > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fflex.apache.org%2Finstaller%2FXXX%2Fsdk-installer-config-4.0.xml&data=02%7C01%7Caharui%40adobe.com%7Cbe3b60c824884a383f7d08d5cf5c1704%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636642916791710330&sdata=CUrCENwFIuMoAtvJnjoNXT9o41rbsXGXojcwa5QH%2Bys%3D&reserved=0, > were XXX if the flex version number as well? Given the issue is only with > 4.16.0 and 4.16.1that’s only two files we would need to host there. That > way access and security are handled by ASF infrastructure and we don’t have > to worry about them. > > Thanks, > Justin > > 1. > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fflex.apache.org%2Finstaller%2Fsdk-installer-config-4.0.xml&data=02%7C01%7Caharui%40adobe.com%7Cbe3b60c824884a383f7d08d5cf5c1704%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636642916791710330&sdata=2ld9NbW8Uar2ARRbaXv14uQ1cNN2U2ZIxWjqpnJdqX0%3D&reserved=0 > > > >
