Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
Kurt Miller wrote: From: jean-frederic clere [EMAIL PROTECTED] Tetsuya Kitahata wrote: On Tue, 07 Oct 2003 13:49:39 +0200 Remy Maucherat [EMAIL PROTECTED] wrote: There is no guarantee that the binaries d/led are not corrupted on your random mirror, or haven't been tampered with, or if the mirror is available at all. This is for the build process, so mirrors are not a good solution. If so, archive.apache.org would be better? (Seems that it would be against the policy of infrastructure team, though) Yes. The download task is used to build the Tomcat, so we must be sure that the files we use to build it are reliable. Using archive.apache.org would allow us to build old versions of Tomcat: this is interesting for bug fixing. Doesn't this mean that anyone who tries to build Tomcat from source using the download task will not use the mirrors? If apache doesn't trust downloading from mirrors how would you expect users to trust them? I guess a user would be willing to manually check the keys of one binary download, but would not be likely to check the keys of multiple downloads. Maybe a solution similar to what the BSD porting systems use would be a possible solution to the trust issue. They automatically download AND check the keys of the files. Right but how could I check the keys in ant? -Kurt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
From: jean-frederic clere [EMAIL PROTECTED] Kurt Miller wrote: I guess a user would be willing to manually check the keys of one binary download, but would not be likely to check the keys of multiple downloads. Maybe a solution similar to what the BSD porting systems use would be a possible solution to the trust issue. They automatically download AND check the keys of the files. Right but how could I check the keys in ant? Good question. I know it is good practice to post a patch with a suggestion like mine... but I've got two other mini projects half completed that I want to finish. ;-) Maybe before the end of the year, I could look into this (if someone else doesn't do it first). -Kurt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
Tetsuya Kitahata wrote: On Tue, 07 Oct 2003 13:49:39 +0200 Remy Maucherat [EMAIL PROTECTED] wrote: There is no guarantee that the binaries d/led are not corrupted on your random mirror, or haven't been tampered with, or if the mirror is available at all. This is for the build process, so mirrors are not a good solution. If so, archive.apache.org would be better? (Seems that it would be against the policy of infrastructure team, though) Yes. The download task is used to build the Tomcat, so we must be sure that the files we use to build it are reliable. Using archive.apache.org would allow us to build old versions of Tomcat: this is interesting for bug fixing. --- Tetsuya Kitahata -- Terra-International, Inc. E-mail: [EMAIL PROTECTED] http://www.terra-intl.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
From: jean-frederic clere [EMAIL PROTECTED] Tetsuya Kitahata wrote: On Tue, 07 Oct 2003 13:49:39 +0200 Remy Maucherat [EMAIL PROTECTED] wrote: There is no guarantee that the binaries d/led are not corrupted on your random mirror, or haven't been tampered with, or if the mirror is available at all. This is for the build process, so mirrors are not a good solution. If so, archive.apache.org would be better? (Seems that it would be against the policy of infrastructure team, though) Yes. The download task is used to build the Tomcat, so we must be sure that the files we use to build it are reliable. Using archive.apache.org would allow us to build old versions of Tomcat: this is interesting for bug fixing. Doesn't this mean that anyone who tries to build Tomcat from source using the download task will not use the mirrors? If apache doesn't trust downloading from mirrors how would you expect users to trust them? I guess a user would be willing to manually check the keys of one binary download, but would not be likely to check the keys of multiple downloads. Maybe a solution similar to what the BSD porting systems use would be a possible solution to the trust issue. They automatically download AND check the keys of the files. -Kurt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
Hi, On Mon, 06 Oct 2003 16:57:09 +0200 (Subject: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]) jean-frederic clere [EMAIL PROTECTED] wrote: After having some problems with the ant download task. I have thought of 2 ways to improve it. 1 - Use a mirror via a modified mirrors.cgi. For example use: http://www.apache.org/dyn/NEW_closer.cgi/jakarta/struts/binaries/jakarta-struts-1.1.tar.gz; Instead of: http://www.apache.org/dist/jakarta/struts/binaries/jakarta-struts-1.1.tar.gz; 2 - Use the archive to make sure we will be able to rebuild old releases. For example: http://archive.apache.org/dist/jakarta/struts/binaries/jakarta-struts-1.1.tar.gz; The first way needs a modified mirrors.cgi, therefore I have ask Joshua if it was possible to do it technicaly. The answer is yes :-) but that rises questions that need answers. Comments? IMHO, I would like to recommend the former one. (If any *perl-er*s or *python-ian*s are willing to create alternative cgi scripts :-) You can download the original script (mirror.cgi) from site module, by the way. (FYI) # site: /docs/dyn/closer.cgi # site: /docs/dyn/mirrors/mirrors.cgi I hope Joshua would be very cooperative to this. ;-) Sincerely, --- Tetsuya Kitahata -- Terra-International, Inc. E-mail: [EMAIL PROTECTED] http://www.terra-intl.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
On Tue, 07 Oct 2003 13:49:39 +0200 Remy Maucherat [EMAIL PROTECTED] wrote: There is no guarantee that the binaries d/led are not corrupted on your random mirror, or haven't been tampered with, or if the mirror is available at all. This is for the build process, so mirrors are not a good solution. If so, archive.apache.org would be better? (Seems that it would be against the policy of infrastructure team, though) --- Tetsuya Kitahata -- Terra-International, Inc. E-mail: [EMAIL PROTECTED] http://www.terra-intl.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Fwd: Re: /www/www.apache.org/dyn/mirrors/mirrors.cgi]
Hi, After having some problems with the ant download task. I have thought of 2 ways to improve it. 1 - Use a mirror via a modified mirrors.cgi. For example use: http://www.apache.org/dyn/NEW_closer.cgi/jakarta/struts/binaries/jakarta-struts-1.1.tar.gz; Instead of: http://www.apache.org/dist/jakarta/struts/binaries/jakarta-struts-1.1.tar.gz; 2 - Use the archive to make sure we will be able to rebuild old releases. For example: http://archive.apache.org/dist/jakarta/struts/binaries/jakarta-struts-1.1.tar.gz; The first way needs a modified mirrors.cgi, therefore I have ask Joshua if it was possible to do it technicaly. The answer is yes :-) but that rises questions that need answers. Comments? Cheers Jean-Frederic ---BeginMessage--- On Fri, 3 Oct 2003 [EMAIL PROTECTED] wrote: Hi Joshua, I would like to know if there is a way to mirrors.cgi to get a redirect instead a web page. In Tomcat we have a ant download task that downloads via http the jar file or tarball need for subcomponents, unfortunatly we get a web page instead of the except file. Would it be possible to have redirect instead the web page? I don't understand the requirement. Can you give me a specific example of how you want things to work? Can you show me how it works currently? I'm guessing you mean that you want a URL that you can feed to ant that will return a redirect to a mirrored location for a file. This shouldn't be technically difficult. But I do see a couple little problems with that: 1. What if the mirror doesn't work (isn't updated, is broken, whatever)? What kind of fall-back would the downloader have? Currently, they can use the html page to choose another mirror. 2. We want to make it clear to downloaders that they are downloading from mirrors and not from apache.org. This is because it is the responsibility of the downloader to confirm the authenticity of the file. We do not check in any way that the mirrors are really delivering the file that they say they are. With the web-page system, they clearly see the URL that they are downloading from, while with a redirect it would be hidden. Neither of these problems are insurmountable. But before any such change was made, you'd need to be sure that both your PMC and the infrastructure group are aware of these issues. Feel free to forward this email to start the discussion. Joshua. ---End Message--- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]