Hey Matei yep they have the signatures on them too. Cheers, Chris
-----Original Message----- From: Matei Zaharia <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Thursday, September 26, 2013 8:11 PM To: "[email protected]" <[email protected]> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure >Maybe we can replace the link to "official Apache download site" in the >release notes to point to the mirrors? Do the mirrors all have signatures >on them too? > >Matei > >On Sep 26, 2013, at 10:59 PM, Andy Konwinski <[email protected]> >wrote: > >> Thanks Roman and Chris, >> >> I see here http://www.apache.org/dev/release.html#mirroring that >>"Project >> download pages must link to the mirrors" but I don't see anything about >> ordering. >> >> I'm definitely +1 for including a link to the apache mirrors as required >> and providing the Cloudfront link first since this seems to satisfy the >> apache requirements and provide a better experience for users. >> >> Patrick. Thanks again for all your hard work on this release and for >> pushing back on parts of the Apache process as you go. That's how >> do-ocracies stay healthy and evolve. >> On Sep 26, 2013 7:23 PM, "Mattmann, Chris A (398J)" < >> [email protected]> wrote: >> >>> Hi Patrick will reply in more detail later but please know that >>>linking to >>> the apache download page is not a request it's a requirement. I will >>> explain more in a bit. >>> >>> Cheers, >>> Chris >>> >>> Sent from my iPhone >>> >>> On Sep 26, 2013, at 8:09 PM, "Patrick Wendell" <[email protected]> >>>wrote: >>> >>>> Chris et al, >>>> >>>> I'm -1 on this because it has many negative consequences for our >>> existing users: >>>> >>>> 1. Users who do automated downloads based on our posted URL's (of >>>> which we get many thousands each release) will no longer work. Now if >>>> they do "wget XXX" with our posted link, it will fail in a weird way >>>> to due to the redirect page. Is there a version of the closer.cgi >>>> script which just performs 302 redirects instead of asking me to click >>>> on a link? >>>> >>>> 2. All other users have to click through an additional page to >>>> download the software. >>>> >>>> 3. Amazon Cloudfront is, as a whole, much more reliable and higher >>>> bandwidth than the mirror network. >>>> >>>> These are my concerns, that basically we're causing our users to have >>>> a much worse experience. I've identified these concerns with moving to >>>> the apache mirror, but perhaps I've overlooked some benefits that >>>> would counteract these. Are there benefits? >>>> >>>> I completely agree that we need to send users to the signatures and >>>> hashes at the Apache release site (to verify the release). So I did >>>> add the link to this directly adjacent to the download. >>>> >>>> - Patrick >>>> >>>> On Thu, Sep 26, 2013 at 3:50 PM, Chris Mattmann <[email protected]> >>> wrote: >>>>> Hey Guys, >>>>> >>>>> Yep the link should by the dyn/closer.cgi link on the website and +1 >>>>> to Roman's comment about auditing spark-project.org links to be >>> replaced >>>>> with ASF counterparts. >>>>> >>>>> Cheers, >>>>> Chris >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Patrick Wendell <[email protected]> >>>>> Reply-To: "[email protected]" < >>> [email protected]> >>>>> Date: Wednesday, September 25, 2013 4:08 PM >>>>> To: "[email protected]" <[email protected]> >>>>> Subject: Re: Spark 0.8.0: bits need to come from ASF infrastructure >>>>> >>>>>> Yep, we definitely need to just directly point people the location >>>>>>at >>>>>> apache.org where they can find the hashes. I just updated the >>>>>>release >>>>>> notes and downloads page to point to that site. >>>>>> >>>>>> I just wanted to point out that mirroring these through a CDN seems >>>>>> philosophically the same as mirroring through Apache, since in >>>>>>neither >>>>>> case do we expect the users to trust the artifact they download. We >>>>>> just need to be more explicit that we are, indeed, mirroring and >>>>>> explain that the trusted root is at apache.org >>>>>> >>>>>> - Patrick >>>>>> >>>>>> On Wed, Sep 25, 2013 at 3:56 PM, Roman Shaposhnik <[email protected]> >>> wrote: >>>>>>> On Wed, Sep 25, 2013 at 3:48 PM, Patrick Wendell >>>>>>><[email protected]> >>>>>>> wrote: >>>>>>>> Hey we've actually distributed our artifacts through amazon >>> cloudfront >>>>>>>> in the past (and that is where the website links redirect to). >>>>>>>> >>>>>>>> Since the apache mirrors don't distribute signatures anyways, >>>>>>> >>>>>>> True, but apache dist does. IOW, it is not uncommon for those >>>>>>> having an automated build/fetching systems to get bits from >>>>>>> one of the mirrors and then get the hashes directly from dist. >>>>>>> >>>>>>> In your current case, I don't think I know of a way to do that. >>>>>>> >>>>>>> Now, you may say that the current CDN you guys are you using >>>>>>> is functioning like a mirror -- well, I'd say that it needs to be >>>>>>> called out like one then. >>>>>>> >>>>>>> Otherwise, as a naive user I *really* have to guess where >>>>>>> to get the hashes. >>>>>>> >>>>>>>> what is the difference between linking to an apache mirror vs >>>>>>>>using a >>>>>>>> more >>>>>>>> robust CDN? If people want to verify the downloads they need to >>>>>>>>go to >>>>>>>> the apache root in either case. >>>>>>>> >>>>>>>> Is this just a cultural thing or is there some security reason? >>>>>>> >>>>>>> A bit of both I guess. >>>>>>> >>>>>>> Thanks, >>>>>>> Roman. >>>>> >>>>> >>> >
