On Fri, May 4, 2012 at 1:02 PM, Roberto Galoppini <rgalopp...@geek.net> wrote: > On Fri, May 4, 2012 at 6:55 PM, Rob Weir <robw...@apache.org> wrote: >> On Fri, May 4, 2012 at 12:47 PM, Dave Fisher <dave2w...@comcast.net> wrote: >>> >>> On May 4, 2012, at 9:40 AM, Rob Weir wrote: >>> >>>> On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia <fcas...@gmail.com> wrote: >>>>> On Fri, May 4, 2012 at 12:46 PM, Dave Fisher <dave2w...@comcast.net> >>>>> wrote: >>>>> >>>>>> I think we should offer mappings and have this page definitely download >>>>>> via the Apache mirrors. I know what to do to make this work with the >>>>>> Apache >>>>>> mirror cgi. >>>>> >>>>> >>>>> I think I had read somewhere about Apache choosing to use SourceForge's >>>>> network of mirrors around the world for distribution? >>>>> >>> >>> That is correct for the www.openoffice.org/download/ main download page. >>> >>> The legacy 3.3 binaries should continue to be available from the >>> MirrorBrain network. >>> >>> A portion of the Apache Mirrors will also seed AOO. The page being >>> discussed here is on the project site at >>> incubator.apache.org/openofficeorg/. This page will serve through the >>> Apache Mirrors. The mirror operators are seeding these large binaries and >>> we need to use those as well. >>> >> >> No. no. no. We're trying to reduce the number of places where >> download logic lives. If we have a download link for AOO on the >> incubator page it should just point to the download.openoffice.org. > > My understanding from past conversations on the binaries topic is that > we'll have SourceForge serving binaries, and MirrorBrain serving > updates. This will make easy to track downloads and have meaningful > stats. >
And Apache mirrors serving source code tarbars and SDK downloads. And Apache /dist serving the hashes for verification Does anyone object to that as the plan? -Rob > Roberto > > >>>> A distribution consists of several pieces: >>>> >>>> 1) The binaries, i.e., the install images. These are served up via >>>> SourceForge >>>> >>>> 2) The source tarballs -- These could go out via Apache mirror network >>>> if we want. Or SourceForge. Is will be very low volume in either >>>> case. >>> >>> I'm for doing Source and SDK on the Apache Mirrors. >>> >>>> >>>> 3) The detached signatures and hashes, For these we must link our >>>> page to the Apache copies on /dist. This is an essential part of the >>>> verification model. This is how the user is protected against a rogue >>>> mirror operator or a "man-in-the-middle" attack, They can always >>>> verify their download against the authoritative hashes and signature >>>> on the Apache server. >>> >>> This is a key point and should probably be a separate thread. >>> >>> Regards, >>> Dave >>> >>> >>> >>>> >>>> -Rob >>>> >>>>> FC >>>>> -- >>>>> During times of Universal Deceit, telling the truth becomes a >>>>> revolutionary >>>>> act >>>>> Durante épocas de Engaño Universal, decir la verdad se convierte en un >>>>> Acto >>>>> Revolucionario >>>>> - George Orwell >>> > > -- > ==== > This e- mail message is intended only for the named recipient(s) above. It > may contain confidential and privileged information. If you are not the > intended recipient you are hereby notified that any dissemination, > distribution or copying of this e-mail and any attachment(s) is strictly > prohibited. If you have received this e-mail in error, please immediately > notify the sender by replying to this e-mail and delete the message and any > attachment(s) from your system. Thank you. >