-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just discovered a problem with the vcl-install.sh and vcl-upgrade.sh scripts bundled with 2.4.2. When we decided to move to putting all release files under a directory named after the version number when placing files at www.apache.org/dist/vcl, I didn't get the scripts updated to include the version number in the path from which they download the archive and signatures (i.e. they are downloading from /dist/vcl instead of /dist/vcl/2.4.2). We have 2 options for fixing this:
1) release 2.4.3 with the paths included 2) copy the files that are under www.apache.org/dist/vcl/2.4.2 to www.apache.org/dist/vcl I'd prefer not to do yet another release (option 1). Regarding options 2, we decided to put all of the files under a version number because vcl-install.sh and vcl-upgrade.sh don't have version numbers in the filenames, and would thus keep getting updated in the /dist/vcl directory with each release, which could trigger an attack alert since the files would be modified. I think we'd be safe to copy all of the files from /dist/vcl/2.4.2 to /dist/vcl for one release. Since vcl-install.sh and vcl-upgrade.sh are not currently in /dist/vcl, I don't think we'll trigger any alerts. Then, for the next release, we'd have things fixed to be downloading from the correct URLs. Thoughts? Josh - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVTVhgACgkQV/LQcNdtPQONLgCfV70/hyWRRwTT1uckH5LZ76zQ yA4AnREe2kprAtHQA0M8jy3v2jqSLoBn =rM82 -----END PGP SIGNATURE-----
