> One exception could be if the automated process were to also grab the md5 > (or pgp, but that would be more complicated) from apache.org and verify > the file's integrity.
I think this should be assumed as a minimum. Given this, would you be comfortable? [I see 'could be'.] regards Adam
