Thanks for all the information. To paraphrase what you are saying, the sources and binary distros are tightly controlled. The binary builds (for the whole Apache Foundation) are created and maintained with security in mind by people who know what they are doing. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoav Shapira Sent: Tuesday, May 23, 2006 10:53 AM To: Tomcat Developers List Subject: Re: Binary build procedures
Mark, The binary distributions are handled with the same security precautions as the source ones. Each distribution file is accompanied by its MD5 checksum and is PGP-signed by the release manager. The MD5 checksums, PGP signatures, and KEYS files (available with the distro as well as on the main download pages) are all unmirrored, residing only on the original apache.org servers. So in addition to the security granted by MD5 and PGP, someone would have to hack apache.org and modify those very files in order to get you to trust the release. I'm not aware of that ever happening in the past. Besides noting that the security for source distros (which you already trust) are the same as binary distros, I'd further note that these procedures are standard across the Foundation (i.e. Tomcat doesn't do anything special here), and as such have been devised, verified, and are monitored by a number of folks who know a whole lot more than I do about distro integrity. Finally, if you still don't trust binaries but do trust sources, you always have the option of grabbing the latter distro and building the binary yourself ;) Yoav On 5/23/06, Mark Claassen <[EMAIL PROTECTED]> wrote: > > My boss has implemented some new procedures with regard to open source > projects. He believes the source distributions are trustworthy, but > he is not sure if he trusts the binary distributions. I think the > reasoning is that he is uncertain if the binary distributions are > controlled as well as the source ones are. And if they are not, > someone could inject some malicious code to expose customer data or something. > > Can someone give me a brief explanation on how the binary > distributions are created for 5.5? Are the binary distributions > created automatically from the repository, leaving no chance for nefarious tampering? > > Thanks, > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For > additional commands, e-mail: [EMAIL PROTECTED] > > -- Yoav Shapira Nimalex LLC 1 Mifflin Place, Suite 310 Cambridge, MA, USA [EMAIL PROTECTED] / www.yoavshapira.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
