On Thu, 6 Nov 2003, Leo Simons wrote: > indeed. Its trivial. Here's download.cgi: > > [EMAIL PROTECTED] ~]$ cat /www/avalon.apache.org/download.cgi > #!/bin/sh > cd /www/www.apache.org/dyn/mirrors > /www/www.apache.org/dyn/mirrors/mirrors.cgi $* > > the relevant snippet of download.html: > > <p><code> > maven.repo.remote = [preferred]/avalon,http://www.ibiblio.org/maven > </code></p> > > finally, a line like this is required in mirrors.conf: > > [avalon.apache.org] > download.cgi = /www/avalon.apache.org/download.html
Sorry, I'm not on [EMAIL PROTECTED] (Do we have any mirror maintainers on that list?) But I don't believe this is a particularly smart thing to do. We have *absolute no protection* against mirror owners deliberaterly or accidentally corrupting jars. Hence things from mirrors should never be downloaded and installed as part of an automated process. One exception could be if the automated process were to also grab the md5 (or pgp, but that would be more complicated) from apache.org and verify the file's integrity. I think many ASF projects are putting too much trust in the mirrors. It would be very simple to get arbitrary code executed by hundreds or thousands of different machines simply by signing up as an apache mirror and replacing files for some of the projects that don't do a good job of assuring downloads are verified. Joshua.
