-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Derek,
I'm editing the CC list since I know Larry and Bernd are list subscribers. > From: Derek Price > > Just a quick thought. I'm on the road and don't have time for more. > I've had several complaints in the past that file downloads don't work > from cvshome.org that turned out to be solved when cookies were enabled > in the client. If only it could be that simple!! Cookies are enabled on my browser and I have confirmation of that since the http://www.nytimes.com/ remembers who I am. > Also, if this is a new client-related issue (not the cookie issue > above), then why hasn't it cropped up until just now? My answer to your question is, "I don't know." I don't see a direct connection between any possible answer that refutes the evidence now available and therefore don't understand the reasoning behind the question. ===================== I'll summarize the evidence now known: Cases where downloading a binary "*.gz" downloads as "too large": Reporter Platform Browser Conrad Pino Windows 2000 Internet Explorer 6 Conrad Pino Windows 2000 Netscape 4.8 Cases where downloading a binary "*.gz" download as "correct size": Reporter Platform Browser Conrad Pino Mac OS X Safari 1.2.5 Conrad Pino Mac OS X Internet Explorer 5 Conrad Pino Windows 2000 wget 1.9.1 Arno Schuring Windows XP FireFox 1.0 Todd Denniston Linux 2.4.26 Mozilla/5.0 Cases where downloading a binary "*.gz" fails altogether: Reporter Platform Browser Arno Schuring Windows XP Internet Explorer 6 SP2 Cases where downloading a binary "*.gz.sig" fails or is zero size: Reporter Platform Browser Conrad Pino Windows 2000 Internet Explorer 6 Conrad Pino Windows 2000 Netscape 4.8 Conrad Pino Mac OS X Safari 1.2.5 Conrad Pino Mac OS X Internet Explorer 5 Arno Schuring Windows XP FireFox 1.0 Todd Denniston Linux 2.4.26 Mozilla/5.0 Reporter Platform / Browser Reported M�kel�inen Juha IE version 6.0.2800.1106.xpsp2.040919-1003 Cases where downloading a binary "*.gz.sig" succeeds: Reporter Platform Browser Conrad Pino Windows 2000 wget 1.9.1 Todd Denniston Linux 2.4.26 Lynx 2.8.4rel.1 In cases tried so far Todd Denniston (1 case) and I (2 cases) are able to verify PGP signatures when "*.gz" is correctly sized and "*.gz.sig" can be downloaded. Arno Schuring sent MD5 data for 7 files and I can confirm 4 of the 7 as correct. I don't have reference MD5 data for: 3986d5a825cfb82436e7934b4bf71287 *cvs-1.11.18-AIX.gz e07f84dceb46e0b5a8a12dabd648d8e1 *cvs-1.11.18-HP.gz f91de7cbed9dedb794b078ee32a0ebf4 *cvs-1.11.18-SUN.gz which are files posted by Larry. And let's not forget the "too large" and bad "*.gz.sig" behaviors are specific to CVS Home only. These behaviors are NOT universal on CVS Home. They only affect specific file types, file extensions and/or specific download areas. Source tar balls aren't affected. Windows binary file area isn't affected. ===================== IMHO the accumulating evidence is pointing AWAY from a compromised system and TOWARDS an unreliable download system. ===================== Here are the policy questions I have that I'd like to see addressed: 1. What's the point of maintaining a binary download area if we can't provide a reasonably convenient method to authenticate the files? All I'm saying is what we have in place today isn't working for a VERY popular browser and a VERY popular platform. Yes, I have the latest patches for both platform and browser. Yes, I have virus scanned ALL my systems with freshly updated Norton and TrendMicro virus scanners. 2. Assuming we delete "*.gz.sig" files from the binary areas, how do we explain to users what to expect of downloaded content? Internet Explorer 6 downloads an uncompressed file whose size matches the expected uncompressed size and compares with the uncompressed original. Netscape 4.8 downloads an apparently uncompressed file whose size DOES NOT match the exacted uncompressed size. The Windows 2000 "comp" utility reports different size files as different so I can't easily certify the content. I don't want to spend time testing and documenting all platform and browser combinations known to man and computer! 3. Do we publish MD5 data for compressed and uncompressed versions? Neither of the above will work with Netscape 4.8 since what it downloads isn't correctly sized. 4. Do we tell the world we will support downloads only with tightly specified platform / browser sets? 5. Collab Net donates hosting services and this issue represents an additional burden. Does the value of binary downloads to the CVS community warrant the additional work required of Collab Net? ===================== > Regards, Ditto, > Derek Conrad -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBQfgbL7NM28ubzTo9EQKRCwCgoH2zrd4PswGukot6X5eIUMZ8VQ8AoNJg 6HnszharwpSe08reurt7othW =nC9T -----END PGP SIGNATURE----- _______________________________________________ Info-cvs mailing list [email protected] http://lists.gnu.org/mailman/listinfo/info-cvs
