On Fri, 7 Nov 2003 [EMAIL PROTECTED] wrote:
> not as much bandwidth... So lets design this a bit better then = make sure that it allows for the authoritative source to be on ASF[*] hardware (perhaps with an ASF signed key, sha1 or md5) - but it can be mirrored out through ibiblio, my local disk, or wherever - without compromsing trust, oversight, etc. If that means we need to maintain a 'master' list of checksums or something else signed on trusted hardware - that can be arranged. Either as a web page or through some clever DNS/urn naptr mechanism. But there is no reason not to decouple the trust/authoritative chain and/or metadata from the actual bulk payload. Dw *: or whoever else is authoritative on the package.
