On Thursday 17 January 2008 18:37:19 Dev Mazumdar wrote:
> Hi,
>
> While I agree with this, how do we specify the build id in the package
> name?
>
> We can guarantee that whatever is in the stable/$LICENSE is always the
> latest - you will only find ONE bz2 file there.
>
> The other option is we rename as follows:
> sources/stable/oss-4.0-stable-<license>.tar.bz2
> But you never know what version this file is.
>
>
> Yet another option is that we have a symlink:
> LATEST -> oss-4.0-<buildid>-<license>-tar.bz2
> Then you pull down LATEST using wget or whatever.
>

The latter option sounds simplest. Two other thing I'd suggest:
   1) Having the newest version already in attic/ . That way, there's already 
a stable link if a package system is interested in that particular build.
   2) Having a checksum on the server for the source tarballs (LATEST.sha?). 
The recent SquirrelMail vulnerability[1] shows that the source poisoning 
method is used in the wild. (Yes, an attacker will change the checksum on the 
affected server, but a user can verify against a checksum from a different 
mirror from the one downloading LATEST). I'm no expert at this, but MD5 
sounds like it's about to be broken for verification, so I'd suggest using a 
SHA-based method.

[1] 
http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw

Yours,
        Yair K.
_______________________________________________
oss-devel mailing list
oss-devel@mailman.opensound.com
http://mailman.opensound.com/mailman/listinfo/oss-devel

Reply via email to