On Mon, Sep 10, 2012 at 11:55 PM, Erik de Bruin <e...@ixsoftware.nl> wrote: > ...I'm thinking that even though binaries are not official Apache Flex > releases (http://incubator.apache.org/flex/about-binaries.html, thanks > Bertrand), people will still 'trust' them more if they are actually > hosted on an Apache mirror then on a random site....
That would be a big mistake...Apache mirrors are not controlled by the ASF, they're a loosely-coupled network where in theory (before being caught) someone could easily mess with whatever files people download. The only way to validate a downloaded file is to check its signature and/or digest against data obtained from trusted sources. -Bertrand
