On Fri, 7 Nov 2003 [EMAIL PROTECTED] wrote:
> not as much bandwidth...
So lets design this a bit better then = make sure that it allows for the
authoritative source to be on ASF[*] hardware (perhaps with an ASF signed
key, sha1 or md5) - but it can be mirrored out through ibiblio, my local
disk, or wherever - without compromsing trust, oversight, etc.
If that means we need to maintain a 'master' list of checksums or
something else signed on trusted hardware - that can be arranged. Either
as a web page or through some clever DNS/urn naptr mechanism. But there
is no reason not to decouple the trust/authoritative chain and/or metadata
from the actual bulk payload.
*: or whoever else is authoritative on the package.