[
https://issues.apache.org/jira/browse/FELIX-726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler closed FELIX-726.
----------------------------------
New site is live.
> MD5 checksum handling issue with Felix download pages/mirrors
> -------------------------------------------------------------
>
> Key: FELIX-726
> URL: https://issues.apache.org/jira/browse/FELIX-726
> Project: Felix
> Issue Type: Bug
> Environment: http://felix.apache.org/site/downloads.cgi
> Reporter: Olaf Kock
> Assignee: Carsten Ziegeler
>
> Hi there,
> I understand MD5 checksums as means to detect if the file that I've just
> downloaded is a) complete and b) the one I expected to download. While I
> never check a) unless I get an error unpacking, b) is very important.
> As Apache is relying heavily on mirrors, I'd like to have to trust Apache but
> I can't trust every mirror server. As the MD5 sums that are linked on the
> download server point to the mirrors themselves, this is of no value. I'd
> rather like them to point to the central Apache server. The few bytes for the
> checksums shouldn't matter much.
> Compromised mirrors would make it easy to exchange the downloaded file
> together with their MD5 sum - this would be somewhat more difficult to
> discover than getting the MD5 from an authoritative source.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
