You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@jakarta.apache.org by Jon Stevens <jo...@latchkey.com> on 2001/03/29 21:29:38 UTC
Re: Checksum for downloaded files
on 3/29/01 11:20 AM, "Ted Leung" <tw...@sauria.com> wrote:
> For some of the XML projects, we have been PGP signing the
> binaries - this includes Xerces, Xalan, but not all the projects are doing
> this. It appears that not all the Jakarta projects are doing this either,
> since neither Ant, log4J, JMeter, James or Tomcat have .md5's.
Like I said: all the projects that I'm directly involved with. :-) I should
qualify that to say: "all the projects that I am directly involved with the
releases of".
> Perhaps
> it would be in *both* project's interests to provide either a .md5 or PGP
> signature for *all* their release binaries. It would be even better if both
> projects adopted the same thing, to reduce user confusion.
PGP maybe (if someone signs the archive, that signature must be a signature
with a trust ring around it). So far, the XML/Jakarta projects do not have a
signature of that sort. Since we will be at ApacheCon in another few days, I
think running around and getting physical people to sign their key onto a
"Jakarta" and "XML" key would be a good idea. I will see about doing that
and will post another email announcing this intention later today.
We can then sign all of our binaries with those keys.
md5 yes (it doesn't need a signed trust ring, but does need to be mirrored
in order to be tamper proof). since that won't happen anytime soon, the
above PGP solution seems like a better idea.
-jon
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/ymtd/ymtd.html>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org
Re: Checksum for downloaded files
Posted by Ted Leung <tw...@sauria.com>.
Cool.
And one more reason for me to be disappointed that I'm not
going to ApacheCon this year. :-(
Ted
----- Original Message -----
From: "Jon Stevens" <jo...@latchkey.com>
To: "Ted Leung" <tw...@sauria.com>; "Tom Gryder" <tw...@mitre.org>
Cc: <ge...@xml.apache.org>; <ge...@jakarta.apache.org>
Sent: Thursday, March 29, 2001 11:29 AM
Subject: Re: Checksum for downloaded files
> on 3/29/01 11:20 AM, "Ted Leung" <tw...@sauria.com> wrote:
>
> > For some of the XML projects, we have been PGP signing the
> > binaries - this includes Xerces, Xalan, but not all the projects are
doing
> > this. It appears that not all the Jakarta projects are doing this
either,
> > since neither Ant, log4J, JMeter, James or Tomcat have .md5's.
>
> Like I said: all the projects that I'm directly involved with. :-) I
should
> qualify that to say: "all the projects that I am directly involved with
the
> releases of".
>
> > Perhaps
> > it would be in *both* project's interests to provide either a .md5 or
PGP
> > signature for *all* their release binaries. It would be even better if
both
> > projects adopted the same thing, to reduce user confusion.
>
> PGP maybe (if someone signs the archive, that signature must be a
signature
> with a trust ring around it). So far, the XML/Jakarta projects do not have
a
> signature of that sort. Since we will be at ApacheCon in another few days,
I
> think running around and getting physical people to sign their key onto a
> "Jakarta" and "XML" key would be a good idea. I will see about doing that
> and will post another email announcing this intention later today.
>
> We can then sign all of our binaries with those keys.
>
> md5 yes (it doesn't need a signed trust ring, but does need to be mirrored
> in order to be tamper proof). since that won't happen anytime soon, the
> above PGP solution seems like a better idea.
>
> -jon
>
> --
> If you come from a Perl or PHP background, JSP is a way to take
> your pain to new levels. --Anonymous
> <http://jakarta.apache.org/velocity/ymtd/ymtd.html>
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail: webmaster@xml.apache.org
> To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org
Re: Checksum for downloaded files
Posted by Ted Leung <tw...@sauria.com>.
Cool.
And one more reason for me to be disappointed that I'm not
going to ApacheCon this year. :-(
Ted
----- Original Message -----
From: "Jon Stevens" <jo...@latchkey.com>
To: "Ted Leung" <tw...@sauria.com>; "Tom Gryder" <tw...@mitre.org>
Cc: <ge...@xml.apache.org>; <ge...@jakarta.apache.org>
Sent: Thursday, March 29, 2001 11:29 AM
Subject: Re: Checksum for downloaded files
> on 3/29/01 11:20 AM, "Ted Leung" <tw...@sauria.com> wrote:
>
> > For some of the XML projects, we have been PGP signing the
> > binaries - this includes Xerces, Xalan, but not all the projects are
doing
> > this. It appears that not all the Jakarta projects are doing this
either,
> > since neither Ant, log4J, JMeter, James or Tomcat have .md5's.
>
> Like I said: all the projects that I'm directly involved with. :-) I
should
> qualify that to say: "all the projects that I am directly involved with
the
> releases of".
>
> > Perhaps
> > it would be in *both* project's interests to provide either a .md5 or
PGP
> > signature for *all* their release binaries. It would be even better if
both
> > projects adopted the same thing, to reduce user confusion.
>
> PGP maybe (if someone signs the archive, that signature must be a
signature
> with a trust ring around it). So far, the XML/Jakarta projects do not have
a
> signature of that sort. Since we will be at ApacheCon in another few days,
I
> think running around and getting physical people to sign their key onto a
> "Jakarta" and "XML" key would be a good idea. I will see about doing that
> and will post another email announcing this intention later today.
>
> We can then sign all of our binaries with those keys.
>
> md5 yes (it doesn't need a signed trust ring, but does need to be mirrored
> in order to be tamper proof). since that won't happen anytime soon, the
> above PGP solution seems like a better idea.
>
> -jon
>
> --
> If you come from a Perl or PHP background, JSP is a way to take
> your pain to new levels. --Anonymous
> <http://jakarta.apache.org/velocity/ymtd/ymtd.html>
>
>
> ---------------------------------------------------------------------
> In case of troubles, e-mail: webmaster@xml.apache.org
> To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
> For additional commands, e-mail: general-help@xml.apache.org
>
---------------------------------------------------------------------
In case of troubles, e-mail: webmaster@xml.apache.org
To unsubscribe, e-mail: general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org