>> ...I'm thinking that even though binaries are not official Apache Flex >> releases (http://incubator.apache.org/flex/about-binaries.html, thanks >> Bertrand), people will still 'trust' them more if they are actually >> hosted on an Apache mirror then on a random site.... > > That would be a big mistake...Apache mirrors are not controlled by the > ASF, they're a loosely-coupled network where in theory (before being > caught) someone could easily mess with whatever files people download. > > The only way to validate a downloaded file is to check its signature > and/or digest against data obtained from trusted sources.
I understand the principle and agree on the theory behind it. However, we want as many people using and advocating Apache Flex as possible. However, in the real world, people will want to stay up to date with the SDK but they can't/don't want to spend a lot of time and effort getting the latest version from SVN and building from source. That's what the convenience binaries are for, IMHO. Having those available from the Apache 'network' (which for all intends and purposes the mirrors act like) will make most people trust them implicitly (yes, not a good idea, agreed, but certainly the way it works for most). I'm sure this is true for any network that makes the binaries available (e.g. Spoon), but since the name is APACHE Flex... I feel the best place for them is with Apache, and have other people/organisations/sites link to them by using the badge. This will make sure the mirrors and not the direct apache.org location are used. EdB -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
