Nick wrote: > The MD5 should always come from the authoritative source (apache.org) > using https.
I'm not sure if all environments (JVMs) have HTTPS available. In a somewhat perfect world we'd try HTTPS and if it failed try HTTP, unless some 'minimum security' was requested. I think we'll have to experiment and experince this area over time/iterations. > How are we going to know what the "authoritative" source for a resource > is. > For java we could enforce a reverse domain name. Four things: 1) Repository URI/URL is what it is (whatever it is) and the URL for the MD5 ought be the URL for the resources plus ".md5" on the end. 2) As current Ruper thinking (coding) goes ... Mirrors ought mirror the hierarchy, so wherever a resource is in the repo, the .md5 ought be next to it, and the original .md5 ought be in exactly the same relative position (just relative to an apache root). 3) Mirroring is kinda hacked into Ruper right now, it silently moves the root of a repository (originally set relative to the mirror locator CGI script) to one such mirror. As such Ruper doesn't really know about mirrors. 4) We probably need to rethink current thinking... ;-) regards, Adam
