Hey Guys, Yep the link should by the dyn/closer.cgi link on the website and +1 to Roman's comment about auditing spark-project.org links to be replaced with ASF counterparts.
Cheers, Chris -----Original Message----- From: Patrick Wendell <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, September 25, 2013 4:08 PM To: "[email protected]" <[email protected]> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure >Yep, we definitely need to just directly point people the location at >apache.org where they can find the hashes. I just updated the release >notes and downloads page to point to that site. > >I just wanted to point out that mirroring these through a CDN seems >philosophically the same as mirroring through Apache, since in neither >case do we expect the users to trust the artifact they download. We >just need to be more explicit that we are, indeed, mirroring and >explain that the trusted root is at apache.org > >- Patrick > >On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <[email protected]> wrote: >> On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell <[email protected]> >>wrote: >>> Hey we've actually distributed our artifacts through amazon cloudfront >>> in the past (and that is where the website links redirect to). >>> >>> Since the apache mirrors don't distribute signatures anyways, >> >> True, but apache dist does. IOW, it is not uncommon for those >> having an automated build/fetching systems to get bits from >> one of the mirrors and then get the hashes directly from dist. >> >> In your current case, I don't think I know of a way to do that. >> >> Now, you may say that the current CDN you guys are you using >> is functioning like a mirror -- well, I'd say that it needs to be >> called out like one then. >> >> Otherwise, as a naive user I *really* have to guess where >> to get the hashes. >> >>> what is the difference between linking to an apache mirror vs using a >>>more >>> robust CDN? If people want to verify the downloads they need to go to >>> the apache root in either case. >>> >>> Is this just a cultural thing or is there some security reason? >> >> A bit of both I guess. >> >> Thanks, >> Roman.
