Apache infra replied stating that this is working by design. The hashes and signatures are not propagated to mirrors. Instead, they reside only at apache.org. That makes sense when you consider that a malicious mirror could host bad bits (i.e. containing backdoors) and then just provide a hash that matches that patched binary. Instead, we state that the hashes and signatures come from apache.org. As long as you trust the apache.org domain, you know that those hashes and signatures are trustworthy.
A potential improvement would be to update releases.html to provide a hyperlink to the relevant spot in apache.org for hash and signature files. Infra also stated that the .mds file I mentioned for Hadoop is considered non-standard, and therefore not subject to this filtering for the mirrors. --Chris Nauroth On 4/29/15, 3:56 PM, "Chris Nauroth" <[email protected]> wrote: >Thanks, Flavio. I went ahead and filed the infra ticket: > >https://issues.apache.org/jira/browse/INFRA-9556 > > >--Chris Nauroth > > > > >On 4/29/15, 3:16 PM, "Flavio Junqueira" <[email protected]> >wrote: > >>+1 to checking with infra. >> >>-Flavio >> >>> On 29 Apr 2015, at 23:09, Chris Nauroth <[email protected]> >>>wrote: >>> >>> For the sake of comparison to another Apache project, here is a mirror >>>of >>> Hadoop: >>> >>> >>>http://www.webhostingreviewjam.com/mirror/apache/hadoop/common/hadoop-2. >>>7 >>>.0 >>> / >>> >>> >>> The checksum information in the .mds file is mirrored, but the >>>signature >>> in the .asc file is not mirrored. For ZooKeeper on that same mirror, >>>both >>> the signature and the checksum are missing: >>> >>> >>>http://www.webhostingreviewjam.com/mirror/apache/zookeeper/zookeeper-3.5 >>>. >>>0- >>> alpha/ >>> >>> >>> I'm not familiar with the details of the mirroring configuration. >>>Maybe >>> it's worth filing an INFRA ticket? >>> >>> --Chris Nauroth >>> >>> >>> >>> >>> On 4/29/15, 2:47 PM, "Flavio Junqueira" <[email protected]> >>> wrote: >>> >>>> But is it expected that the signature files aren't propagated to the >>>> mirrors? I'd think that they should be propagated too. >>>> >>>> -Flavio >>>> >>>>> On 29 Apr 2015, at 19:29, Michi Mutsuzaki <[email protected]> >>>>>wrote: >>>>> >>>>> You can find these files here: https://www.apache.org/dist/zookeeper/ >>>>> >>>>> I guess these files are not mirrored for security reasons. >>>>> >>>>> On Wed, Apr 29, 2015 at 10:49 AM, Flavio Junqueira >>>>> <[email protected]> wrote: >>>>>> That's weird, we definitely generate them for the RCs, and I'm quite >>>>>> sure were publishing them: >>>>>> http://people.apache.org/~fpj/zookeeper-3.4.6-candidate-0/ >>>>>> >>>>>> I'm not sure what's going, and Pat Hunt might know about it. I'll >>>>>>see >>>>>> if I can find out more in the meanwhile. >>>>>> -Flavio >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, April 29, 2015 4:13 PM, ralph tice >>>>>> <[email protected]> wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I was surprised to discover that releases haven't been published >>>>>>with >>>>>> MD5/etc signatures since 3.3.2. >>>>>> >>>>>> Is this an intentional change by the project or an oversight? Is >>>>>> there an >>>>>> alternative method of verifying integrity of releases? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> --Ralph >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>> >> >
