On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell <[email protected]> wrote: > Hey we've actually distributed our artifacts through amazon cloudfront > in the past (and that is where the website links redirect to). > > Since the apache mirrors don't distribute signatures anyways,
True, but apache dist does. IOW, it is not uncommon for those having an automated build/fetching systems to get bits from one of the mirrors and then get the hashes directly from dist. In your current case, I don't think I know of a way to do that. Now, you may say that the current CDN you guys are you using is functioning like a mirror -- well, I'd say that it needs to be called out like one then. Otherwise, as a naive user I *really* have to guess where to get the hashes. > what is the difference between linking to an apache mirror vs using a more > robust CDN? If people want to verify the downloads they need to go to > the apache root in either case. > > Is this just a cultural thing or is there some security reason? A bit of both I guess. Thanks, Roman.
