Yep, we definitely need to just directly point people the location at apache.org where they can find the hashes. I just updated the release notes and downloads page to point to that site.
I just wanted to point out that mirroring these through a CDN seems philosophically the same as mirroring through Apache, since in neither case do we expect the users to trust the artifact they download. We just need to be more explicit that we are, indeed, mirroring and explain that the trusted root is at apache.org - Patrick On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <[email protected]> wrote: > On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell <[email protected]> wrote: >> Hey we've actually distributed our artifacts through amazon cloudfront >> in the past (and that is where the website links redirect to). >> >> Since the apache mirrors don't distribute signatures anyways, > > True, but apache dist does. IOW, it is not uncommon for those > having an automated build/fetching systems to get bits from > one of the mirrors and then get the hashes directly from dist. > > In your current case, I don't think I know of a way to do that. > > Now, you may say that the current CDN you guys are you using > is functioning like a mirror -- well, I'd say that it needs to be > called out like one then. > > Otherwise, as a naive user I *really* have to guess where > to get the hashes. > >> what is the difference between linking to an apache mirror vs using a more >> robust CDN? If people want to verify the downloads they need to go to >> the apache root in either case. >> >> Is this just a cultural thing or is there some security reason? > > A bit of both I guess. > > Thanks, > Roman.
