Thank you for following up on this Chris! I filed a jira to update releases.html: https://issues.apache.org/jira/browse/ZOOKEEPER-2177
On Wed, Apr 29, 2015 at 10:53 PM, Chris Nauroth <[email protected]> wrote: > Apache infra replied stating that this is working by design. The hashes > and signatures are not propagated to mirrors. Instead, they reside only > at apache.org. That makes sense when you consider that a malicious mirror > could host bad bits (i.e. containing backdoors) and then just provide a > hash that matches that patched binary. Instead, we state that the hashes > and signatures come from apache.org. As long as you trust the apache.org > domain, you know that those hashes and signatures are trustworthy. > > A potential improvement would be to update releases.html to provide a > hyperlink to the relevant spot in apache.org for hash and signature files. > > Infra also stated that the .mds file I mentioned for Hadoop is considered > non-standard, and therefore not subject to this filtering for the mirrors. > > --Chris Nauroth > > > > > On 4/29/15, 3:56 PM, "Chris Nauroth" <[email protected]> wrote: > >>Thanks, Flavio. I went ahead and filed the infra ticket: >> >>https://issues.apache.org/jira/browse/INFRA-9556 >> >> >>--Chris Nauroth >> >> >> >> >>On 4/29/15, 3:16 PM, "Flavio Junqueira" <[email protected]> >>wrote: >> >>>+1 to checking with infra. >>> >>>-Flavio >>> >>>> On 29 Apr 2015, at 23:09, Chris Nauroth <[email protected]> >>>>wrote: >>>> >>>> For the sake of comparison to another Apache project, here is a mirror >>>>of >>>> Hadoop: >>>> >>>> >>>>http://www.webhostingreviewjam.com/mirror/apache/hadoop/common/hadoop-2. >>>>7 >>>>.0 >>>> / >>>> >>>> >>>> The checksum information in the .mds file is mirrored, but the >>>>signature >>>> in the .asc file is not mirrored. For ZooKeeper on that same mirror, >>>>both >>>> the signature and the checksum are missing: >>>> >>>> >>>>http://www.webhostingreviewjam.com/mirror/apache/zookeeper/zookeeper-3.5 >>>>. >>>>0- >>>> alpha/ >>>> >>>> >>>> I'm not familiar with the details of the mirroring configuration. >>>>Maybe >>>> it's worth filing an INFRA ticket? >>>> >>>> --Chris Nauroth >>>> >>>> >>>> >>>> >>>> On 4/29/15, 2:47 PM, "Flavio Junqueira" <[email protected]> >>>> wrote: >>>> >>>>> But is it expected that the signature files aren't propagated to the >>>>> mirrors? I'd think that they should be propagated too. >>>>> >>>>> -Flavio >>>>> >>>>>> On 29 Apr 2015, at 19:29, Michi Mutsuzaki <[email protected]> >>>>>>wrote: >>>>>> >>>>>> You can find these files here: https://www.apache.org/dist/zookeeper/ >>>>>> >>>>>> I guess these files are not mirrored for security reasons. >>>>>> >>>>>> On Wed, Apr 29, 2015 at 10:49 AM, Flavio Junqueira >>>>>> <[email protected]> wrote: >>>>>>> That's weird, we definitely generate them for the RCs, and I'm quite >>>>>>> sure were publishing them: >>>>>>> http://people.apache.org/~fpj/zookeeper-3.4.6-candidate-0/ >>>>>>> >>>>>>> I'm not sure what's going, and Pat Hunt might know about it. I'll >>>>>>>see >>>>>>> if I can find out more in the meanwhile. >>>>>>> -Flavio >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wednesday, April 29, 2015 4:13 PM, ralph tice >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I was surprised to discover that releases haven't been published >>>>>>>with >>>>>>> MD5/etc signatures since 3.3.2. >>>>>>> >>>>>>> Is this an intentional change by the project or an oversight? Is >>>>>>> there an >>>>>>> alternative method of verifying integrity of releases? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> --Ralph >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>> >>> >> >
