> (Do we have any mirror maintainers on that list?)
Feel free to join, although before anything is put into practice, I think
that the proposal needs to go before the infrastructure team as a whole.
> We have *absolute no protection* against mirror owners deliberaterly
> or accidentally corrupting jars. Hence things from mirrors should
> never be downloaded and installed as part of an automated process.
> One exception could be if the automated process were to also grab the
> md5(or pgp, but that would be more complicated) from apache.org and
> verify the file's integrity.
I agree. If the system is automated, it must protect users from themselves
(and the ASF from any liability) by verifying the integrity of the
distribution. The system cannot make any assumptions regarding verification
by an end user.