On Thu, 6 Nov 2003, Leo Simons wrote:
> indeed. Its trivial. Here's download.cgi:
>
> [EMAIL PROTECTED] ~]$ cat /www/avalon.apache.org/download.cgi
> #!/bin/sh
> cd /www/www.apache.org/dyn/mirrors
> /www/www.apache.org/dyn/mirrors/mirrors.cgi $*
>
> the relevant snippet of download.html:
>
> <p><code>
> maven.repo.remote = [preferred]/avalon,http://www.ibiblio.org/maven
> </code></p>
>
> finally, a line like this is required in mirrors.conf:
>
> [avalon.apache.org]
> download.cgi = /www/avalon.apache.org/download.html

Sorry, I'm not on [EMAIL PROTECTED] (Do we have any mirror
maintainers on that list?)  But I don't believe this is a particularly
smart thing to do.  We have *absolute no protection* against mirror owners
deliberaterly or accidentally corrupting jars.  Hence things from mirrors
should never be downloaded and installed as part of an automated process.

One exception could be if the automated process were to also grab the md5
(or pgp, but that would be more complicated) from apache.org and verify
the file's integrity.

I think many ASF projects are putting too much trust in the mirrors.  It
would be very simple to get arbitrary code executed by hundreds or
thousands of different machines simply by signing up as an apache mirror
and replacing files for some of the projects that don't do a good job of
assuring downloads are verified.

Joshua.

Reply via email to