[jira] Closed: (FELIX-726) MD5 checksum handling issue with Felix download pages/mirrors

["Carsten Ziegeler (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/FELIX-726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler closed FELIX-726.
----------------------------------


New site is live.

> MD5 checksum handling issue with Felix download pages/mirrors
> -------------------------------------------------------------
>
>                 Key: FELIX-726
>                 URL: https://issues.apache.org/jira/browse/FELIX-726
>             Project: Felix
>          Issue Type: Bug
>         Environment: http://felix.apache.org/site/downloads.cgi
>            Reporter: Olaf Kock
>            Assignee: Carsten Ziegeler
>
> Hi there,
> I understand MD5 checksums as means to detect if the file that I've just downloaded is a) complete and b) the one I expected to download. While I never check a) unless I get an error unpacking, b) is very important.
> As Apache is relying heavily on mirrors, I'd like to have to trust Apache but I can't trust every mirror server. As the MD5 sums that are linked on the download server point to the mirrors themselves, this is of no value. I'd rather like them to point to the central Apache server. The few bytes for the checksums shouldn't matter much.
> Compromised mirrors would make it easy to exchange the downloaded file together with their MD5 sum - this would be somewhat more difficult to discover than getting the MD5 from an authoritative source.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.