You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-dev@apache.org by David Crossley <cr...@apache.org> on 2008/11/28 03:19:56 UTC

Re: cleanup of /www/www.apache.org/dist/*

Henk P. Penning wrote:
[snip]
>   Please help infrastructure and our mirrors to keep things
>   running smoothly, and clean up 'previous' versions, like
>   the other top-level-projects. For an overview, see
> 
>     http://people.apache.org/~henkp/tlps/
> 
>   If you have any questions, don't hesitate to mail me.

Thanks Henk, for your initiative with such tools and your
followup with individual projects.

Would it be possible for your tool to summarise at
the level of each KEYS file rather than just the top-level?
For example, "incubator" and "xml" and "ws" etc. would
then have more relevant detail.

-David

Keys, Was: cleanup of /www/www.apache.org/dist/*

Posted by Aristedes Maniatis <ar...@ish.com.au>.

On 28/11/2008, at 6:42 PM, Henk P. Penning wrote:

>    wouldn't it be nice to have a formal description of the
>    ((sub-)sub-)project structure, sitting in a database,
>    instead of trying to glean this info from '/dist/' ?
>
>    also, the KEYS file setup stinks imho ; for a proposal
>    to improve things, see
>
>      http://people.apache.org/~henkp/trust/

Should the storage of these keys be considered as part of the LDAP  
project underway now? It seems logical to keep identity information  
for each committer in the one place and if that place is going to be  
LDAP... They could still be published automatically to https://apache.org 
... for public consumption.

> The KEYS, .md5, .sig and .asc files are distributed to the mirrors.  
> I think it serves no useful purpose. It would be easy to have them  
> in /dist/ and not distribute  them to the mirrors (exclude them in  
> rsyncd.conf).

I'd go further: it is actually quite detrimental to have these files  
mirrored since there is not the level of control over mirrors that  
there is over apache.org, and if someone wanted to inject fake files  
into a mirror, they also just need to change the MD5, etc files. But  
if the general public were used to finding signatures and hashes at https://apache.org/something 
  then they build a level of trust that that location is authentic.

Ari Maniatis

-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

Re: cleanup of /www/www.apache.org/dist/*

Posted by David Crossley <cr...@apache.org>.

Henk P. Penning wrote:
> David Crossley wrote:
> >
> >Would it be possible for your tool to summarise at
> >the level of each KEYS file rather than just the top-level?
> >For example, "incubator" and "xml" and "ws" etc. would
> >then have more relevant detail.
> 
> David,
> 
>   there are now 169 KEYS files ; see
> 
>     http://people.apache.org/~henkp/checker/md5.html
> 
>   I think that's a little too much detail ; some projects
>   keep KEYS files deep in the tree, on the version level,
>   for example tomcat.

Yeah, i thought it would not be simple, but glad
that i asked.

>   I'll see what I can do ; maybe report (per project) on
>   the highest level where a KEYS files is found.
> 
>   Hobby horse:
> 
>     wouldn't it be nice to have a formal description of the
>     ((sub-)sub-)project structure, sitting in a database,
>     instead of trying to glean this info from '/dist/' ?

Yes. Perhaps we could have a data file which defines
a general structure which would fit most existing
projects. It could enable the others to define different
paths to their dists.

These data would be utilised by various emerging infra tools.

>     also, the KEYS file setup stinks imho ; for a proposal
>     to improve things, see
> 
>       http://people.apache.org/~henkp/trust/

Keep suggesting. It will gather steam.

> >-David
> 
>   HPP
> 
> ----------------------------------------------------------------   _
> Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
> Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
> Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
> http://people.cs.uu.nl/henkp/                 M penning@cs.uu.nl  \_/

Re: cleanup of /www/www.apache.org/dist/*

Posted by "Henk P. Penning" <he...@cs.uu.nl>.

On Fri, 28 Nov 2008, David Crossley wrote:

> Date: Fri, 28 Nov 2008 13:19:56 +1100
> From: David Crossley <cr...@apache.org>
> To: infrastructure-dev@apache.org
> Cc: Henk P. Penning <he...@cs.uu.nl>
> Subject: Re: cleanup of /www/www.apache.org/dist/*
> 
> Henk P. Penning wrote:
> [snip]

> Would it be possible for your tool to summarise at
> the level of each KEYS file rather than just the top-level?
> For example, "incubator" and "xml" and "ws" etc. would
> then have more relevant detail.

David,

   there are now 169 KEYS files ; see

     http://people.apache.org/~henkp/checker/md5.html

   I think that's a little too much detail ; some projects
   keep KEYS files deep in the tree, on the version level,
   for example tomcat.

   I'll see what I can do ; maybe report (per project) on
   the highest level where a KEYS files is found.

   Hobby horse:

     wouldn't it be nice to have a formal description of the
     ((sub-)sub-)project structure, sitting in a database,
     instead of trying to glean this info from '/dist/' ?

     also, the KEYS file setup stinks imho ; for a proposal
     to improve things, see

       http://people.apache.org/~henkp/trust/

> -David

   HPP

----------------------------------------------------------------   _
Henk P. Penning, Computer Systems Group       R Uithof CGN-A232  _/ \_
Dept of Computer Science, Utrecht University  T +31 30 253 4106 / \_/ \
Padualaan 14, 3584CH Utrecht, the Netherlands F +31 30 253 2804 \_/ \_/
http://people.cs.uu.nl/henkp/                 M penning@cs.uu.nl  \_/