Hi Patrick will reply in more detail later but please know that linking to the apache download page is not a request it's a requirement. I will explain more in a bit.
Cheers, Chris Sent from my iPhone On Sep 26, 2013, at 8:09 PM, "Patrick Wendell" <[email protected]> wrote: > Chris et al, > > I'm -1 on this because it has many negative consequences for our existing > users: > > 1. Users who do automated downloads based on our posted URL's (of > which we get many thousands each release) will no longer work. Now if > they do "wget XXX" with our posted link, it will fail in a weird way > to due to the redirect page. Is there a version of the closer.cgi > script which just performs 302 redirects instead of asking me to click > on a link? > > 2. All other users have to click through an additional page to > download the software. > > 3. Amazon Cloudfront is, as a whole, much more reliable and higher > bandwidth than the mirror network. > > These are my concerns, that basically we're causing our users to have > a much worse experience. I've identified these concerns with moving to > the apache mirror, but perhaps I've overlooked some benefits that > would counteract these. Are there benefits? > > I completely agree that we need to send users to the signatures and > hashes at the Apache release site (to verify the release). So I did > add the link to this directly adjacent to the download. > > - Patrick > > On Thu, Sep 26, 2013 at 3:50 PM, Chris Mattmann <[email protected]> wrote: >> Hey Guys, >> >> Yep the link should by the dyn/closer.cgi link on the website and +1 >> to Roman's comment about auditing spark-project.org links to be replaced >> with ASF counterparts. >> >> Cheers, >> Chris >> >> >> >> -----Original Message----- >> From: Patrick Wendell <[email protected]> >> Reply-To: "[email protected]" <[email protected]> >> Date: Wednesday, September 25, 2013 4:08 PM >> To: "[email protected]" <[email protected]> >> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure >> >>> Yep, we definitely need to just directly point people the location at >>> apache.org where they can find the hashes. I just updated the release >>> notes and downloads page to point to that site. >>> >>> I just wanted to point out that mirroring these through a CDN seems >>> philosophically the same as mirroring through Apache, since in neither >>> case do we expect the users to trust the artifact they download. We >>> just need to be more explicit that we are, indeed, mirroring and >>> explain that the trusted root is at apache.org >>> >>> - Patrick >>> >>> On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <[email protected]> wrote: >>>> On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell <[email protected]> >>>> wrote: >>>>> Hey we've actually distributed our artifacts through amazon cloudfront >>>>> in the past (and that is where the website links redirect to). >>>>> >>>>> Since the apache mirrors don't distribute signatures anyways, >>>> >>>> True, but apache dist does. IOW, it is not uncommon for those >>>> having an automated build/fetching systems to get bits from >>>> one of the mirrors and then get the hashes directly from dist. >>>> >>>> In your current case, I don't think I know of a way to do that. >>>> >>>> Now, you may say that the current CDN you guys are you using >>>> is functioning like a mirror -- well, I'd say that it needs to be >>>> called out like one then. >>>> >>>> Otherwise, as a naive user I *really* have to guess where >>>> to get the hashes. >>>> >>>>> what is the difference between linking to an apache mirror vs using a >>>>> more >>>>> robust CDN? If people want to verify the downloads they need to go to >>>>> the apache root in either case. >>>>> >>>>> Is this just a cultural thing or is there some security reason? >>>> >>>> A bit of both I guess. >>>> >>>> Thanks, >>>> Roman. >> >>
