How about we include the signatures in the source distros? That way if you trust your source, then you can trust the dependencies it downloads.
On Thu, Sep 18, 2008 at 12:22 PM, Craig L Russell <[EMAIL PROTECTED]> wrote: > > On Sep 17, 2008, at 5:32 PM, Henning Schmiedehausen wrote: > >> The only way around that I can see right away in a heavily mirrored >> system, is to pull the signatures (and probably even the checksums) from >> central all the time. Which represents a single point of failure and a >> non-scaling element. >> > I do understand the single point of failure, which means that if Apache > central happens to be down, users cannot get to the signatures. > > But I don't see the scaling problem. I understand that to download an > artifact that's more than 200 bytes, you really need mirrors to relieve the > burden on Apache central. But I'd guess that our central server could handle > a few hundred (thousand?) xxx.asc file downloads per minute, far in excess > of the load. > > To me, the only place to store .asc files for all artifacts is in central. > Not maven central, and not mirrors. > > Craig > > Craig L Russell > Architect, Sun Java Enterprise System http://db.apache.org/jdo > 408 276-5638 mailto:[EMAIL PROTECTED] > P.S. A good JDO? O, Gasp! > > -- Regards, Hiram Blog: http://hiramchirino.com Open Source SOA http://open.iona.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
