On Thursday 17 January 2008 18:37:19 Dev Mazumdar wrote: > Hi, > > While I agree with this, how do we specify the build id in the package > name? > > We can guarantee that whatever is in the stable/$LICENSE is always the > latest - you will only find ONE bz2 file there. > > The other option is we rename as follows: > sources/stable/oss-4.0-stable-<license>.tar.bz2 > But you never know what version this file is. > > > Yet another option is that we have a symlink: > LATEST -> oss-4.0-<buildid>-<license>-tar.bz2 > Then you pull down LATEST using wget or whatever. >
The latter option sounds simplest. Two other thing I'd suggest: 1) Having the newest version already in attic/ . That way, there's already a stable link if a package system is interested in that particular build. 2) Having a checksum on the server for the source tarballs (LATEST.sha?). The recent SquirrelMail vulnerability[1] shows that the source poisoning method is used in the wild. (Yes, an attacker will change the checksum on the affected server, but a user can verify against a checksum from a different mirror from the one downloading LATEST). I'm no expert at this, but MD5 sounds like it's about to be broken for verification, so I'd suggest using a SHA-based method. [1] http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw Yours, Yair K. _______________________________________________ oss-devel mailing list oss-devel@mailman.opensound.com http://mailman.opensound.com/mailman/listinfo/oss-devel
