Re: download pages rethink
On Thu, 15 Jul 2004, Noel J. Bergman [EMAIL PROTECTED] wrote: I tend to disagree with your assertion that PGP signtures are less important than MD5 signatures. But then again, given how badly connected the PGP keys used to sign most Jakarta releases are, you are probably correct. A signature by a key that hasn't been signed by anybody else isn't much better than a MD5 hash. Perhaps, but PGP signatures are better, See my first sentence in the paragraph you quoted 8-) and there are things happen to improve the ASF WoT, such as our own CA server. Yep, but right now they are not really better than MD5 hashes. Stefan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
I keep the keys that I've used to sign the releases that I have done on a floppy disk away from any networked system. If you have the sign keys on an Apache server and if these servers ever get hacked (and it _will_ happen), then you have compromised the whole chain of trust. I very much prefer to keep the signing keys away from networked infrastructure. Regards Henning On Sun, 2004-07-18 at 01:32, Howard Lewis Ship wrote: I wish we could get away from PGP keys (though I understand it helps limit liability). It tends to be a decidely manual step, and error prone. I generate my PGP keys on my local machine and upload, it might be easier if I could figure out how to get my GnuPG key translated to a PGP key compatible with the tools on jakarta.apache.org, so I could sign the files there. On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin [EMAIL PROTECTED] wrote: On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: snip BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. +1 i'm not sure what can be done about it, though. maybe the pmc could insist that all new release have sums and signatures. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) cool. i've been playing around with tables so maybe i'll post up a mock somewhere too. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH [EMAIL PROTECTED]+49 9131 50 654 0 http://www.intermeta.de/ RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire Linux, Java, perl, Solaris -- Consulting, Training, Development Fighting for one's political stand is an honorable action, but re- fusing to acknowledge that there might be weaknesses in one's position - in order to identify them so that they can be remedied - is a large enough problem with the Open Source movement that it deserves to be on this list of the top five problems. --Michelle Levesque, Fundamental Issues with Open Source Software Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On 18 Jul 2004, at 04:14, Henri Yandell wrote: While a single page is necessary for the casual browser, why would a user of Tomcat, who wants to download Tomcat 5, want to goto a list of many other subprojects? http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.zip seems to be far more of what a user would want to see. However, it should also have the keys/signatures for that file. I'm pretty sure these aren't mirrored, so should be easy to modify closer.cgi. yep copies of the keys, sums and signatures are mirrored but users need to check the ones from minotaur. in terms of changes needed to closer.cgi, i'd definitely like to see the md5 sum on the page (rather than a link) with links to the KEYS and signature downloads but should be reasonably easy if we decide to go down this route. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: snip BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. +1 i'm not sure what can be done about it, though. maybe the pmc could insist that all new release have sums and signatures. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) cool. i've been playing around with tables so maybe i'll post up a mock somewhere too. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
I wish we could get away from PGP keys (though I understand it helps limit liability). It tends to be a decidely manual step, and error prone. I generate my PGP keys on my local machine and upload, it might be easier if I could figure out how to get my GnuPG key translated to a PGP key compatible with the tools on jakarta.apache.org, so I could sign the files there. On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin [EMAIL PROTECTED] wrote: On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: snip BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. +1 i'm not sure what can be done about it, though. maybe the pmc could insist that all new release have sums and signatures. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) cool. i've been playing around with tables so maybe i'll post up a mock somewhere too. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Howard M. Lewis Ship Independent J2EE / Open-Source Java Consultant Creator, Jakarta Tapestry Creator, Jakarta HiveMind http://howardlewisship.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: download pages rethink
robert burrell donkin wrote: IMO signatures are more important (than md5 sums) for the ASF and less important for users. md5 sums are quick and easy to understand. If we were ever hacked, MD5 sums could be replaced without detection. That cannot be done with PGP keys, and we have had people e-mail our security folks when they cannot locate the key for checking. I'd sooner have files uploaded signed, and generate the MD5s locally if missing. what would be useful is a list of fingerprints for code signing keys on the website. it would also give an extra independent security layer. We have KEYS, which is supposed to have the public key, and we have a new server in the UK that is supposed to provide certificate based services for the ASF. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
I was originally signing packages on the Apache server (as I wasn't used to installing PGP on machines I setup for dev work). It was recommended repeatedly that I get them off as it is a risk to the quality of the authentication. Hen On Sat, 17 Jul 2004, Howard Lewis Ship wrote: I wish we could get away from PGP keys (though I understand it helps limit liability). It tends to be a decidely manual step, and error prone. I generate my PGP keys on my local machine and upload, it might be easier if I could figure out how to get my GnuPG key translated to a PGP key compatible with the tools on jakarta.apache.org, so I could sign the files there. On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin [EMAIL PROTECTED] wrote: On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: snip BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. +1 i'm not sure what can be done about it, though. maybe the pmc could insist that all new release have sums and signatures. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) cool. i've been playing around with tables so maybe i'll post up a mock somewhere too. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Howard M. Lewis Ship Independent J2EE / Open-Source Java Consultant Creator, Jakarta Tapestry Creator, Jakarta HiveMind http://howardlewisship.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
While a single page is necessary for the casual browser, why would a user of Tomcat, who wants to download Tomcat 5, want to goto a list of many other subprojects? http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.zip seems to be far more of what a user would want to see. However, it should also have the keys/signatures for that file. I'm pretty sure these aren't mirrored, so should be easy to modify closer.cgi. Then each subproject can manage a simple page with the lists of their distributions. As the actual download page will mention keys/signatures, the project-list page merely has to mention that the keys/signatures can be found on the download page. My only grumble is with: http://maven.apache.org/start/download.html It doesn't indicate that the link goes to a mirror'd download page, but suggests that clicking on said link will download. This means users will right-click and do Save-As on some occasions. Sourceforge has a similar problem. Sorry for how long it took to reply, Hen On Sun, 11 Jul 2004, robert burrell donkin wrote: i've created a document on the wiki (http://wiki.apache.org/jakarta/InfrastructureIssues/WebSite/ DownloadPages). i'm happy for discussion to continue on this list but i thought that it might be useful to have a base document. comment encouraged :) - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On Sun, 11 Jul 2004, robert burrell donkin [EMAIL PROTECTED] wrote: i'm happy for discussion to continue on this list I feel more comfortable to do so, but that may be a personal thing. Discussions need to get the use of I to stick to a name and the Wiki really doesn't make this easy. I tend to disagree with your assertion that PGP signtures are less important than MD5 signatures. But then again, given how badly connected the PGP keys used to sign most Jakarta releases are, you are probably correct. A signature by a key that hasn't been signed by anybody else isn't much better than a MD5 hash. BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. Instead of shortening the section by moving PGP, I'd rather move the whole section to the bottom of the page and just link it from the top (see the Ant page for an example). But this is hardly the only text at the top of the page that could easily be moved in order to make the actual download links more prominent. Thge description of the various types of downloads we provide could appear at the individual sections - so we don't talk about milestone and test builds to people who are really just interested in the latest thing. We don't need to point to the news page/sites at all IMHO, that's inside the navigation anyway. And people who are interested in announcements will find the mailing list page by following the link in the navigation as well. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) The tabular view you envision may really be more appropriate than the long list we have right now. I wouldn't link the project names to the KEYS files, though, at least to me the connection wouldn't be obvious. Stefan -- http://stefanbodewig.blogger.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
download pages rethink
i've created a document on the wiki (http://wiki.apache.org/jakarta/InfrastructureIssues/WebSite/ DownloadPages). i'm happy for discussion to continue on this list but i thought that it might be useful to have a base document. comment encouraged :) - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
