Re: download pages rethink
I keep the keys that I've used to sign the releases that I have done on a floppy disk away from any networked system. If you have the sign keys on an Apache server and if these servers ever get hacked (and it _will_ happen), then you have compromised the whole chain of trust. I very much prefer to keep the signing keys away from networked infrastructure. Regards Henning On Sun, 2004-07-18 at 01:32, Howard Lewis Ship wrote: > I wish we could get away from PGP keys (though I understand it helps > limit liability). It tends to be a decidely manual step, and error > prone. I generate my PGP keys on my local machine and upload, it > might be easier if I could figure out how to get my GnuPG key > translated to a PGP key compatible with the tools on > jakarta.apache.org, so I could sign the files there. > > On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin > <[EMAIL PROTECTED]> wrote: > > On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: > > > > > > > > > BTW, I just now realized that we have a couple of releases that are > > > neither PGP signed nor accompanied by MD5 hashes, this should be > > > strongly discouraged IMHO. In particular since Ant supports > > > generation of MD5 hashes since a few years now - and so does Maven. > > > > +1 > > > > i'm not sure what can be done about it, though. maybe the pmc could > > insist that all new release have sums and signatures. > > > > > Finally I'd move the section about archived builds to the bottom as > > > well. Thinking about it, I should probably mock up a design to show > > > what I mean, will do so next week unless I get shot down before 8-) > > > > > > > cool. > > > > i've been playing around with tables so maybe i'll post up a mock > > somewhere too. > > > > - robert > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH [EMAIL PROTECTED]+49 9131 50 654 0 http://www.intermeta.de/ RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire Linux, Java, perl, Solaris -- Consulting, Training, Development "Fighting for one's political stand is an honorable action, but re- fusing to acknowledge that there might be weaknesses in one's position - in order to identify them so that they can be remedied - is a large enough problem with the Open Source movement that it deserves to be on this list of the top five problems." --Michelle Levesque, "Fundamental Issues with Open Source Software Development" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On Thu, 15 Jul 2004, Noel J. Bergman <[EMAIL PROTECTED]> wrote: >> I tend to disagree with your assertion that PGP signtures are less >> important than MD5 signatures. But then again, given how badly >> connected the PGP keys used to sign most Jakarta releases are, you >> are probably correct. A signature by a key that hasn't been signed >> by anybody else isn't much better than a MD5 hash. > > Perhaps, but PGP signatures are better, See my first sentence in the paragraph you quoted 8-) > and there are things happen to improve the ASF WoT, such as our own > CA server. Yep, but right now they are not really better than MD5 hashes. Stefan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On 18 Jul 2004, at 01:03, Noel J. Bergman wrote: robert burrell donkin wrote: IMO signatures are more important (than md5 sums) for the ASF and less important for users. md5 sums are quick and easy to understand. If we were ever hacked, MD5 sums could be replaced without detection. That cannot be done with PGP keys, and we have had people e-mail our security folks when they cannot locate the key for checking. I'd sooner have files uploaded signed, and generate the MD5s locally if missing. +1 the added security is more than worth the small amount of additional effort required from release managers. we need better documentation, though, both for release managers and users. there used to be some reasonably good pages on the old wiki. is there any consensus about where the right place for this kind of information is? what would be useful is a list of fingerprints for code signing keys on the website. it would also give an extra independent security layer. We have KEYS, which is supposed to have the public key, and we have a new server in the UK that is supposed to provide certificate based services for the ASF. it'll be cool when that's up and running. i'd like to encourage those who verify signatures for downloads to check fingerprints for the key from a page whose contents are stored in CVS and ideally download the keys from an independent public key server. IMHO having key fingerprints in CVS and available on the web would make it much more likely that any compromise of the KEYS files will be detected before too much harm is done. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On 18 Jul 2004, at 04:14, Henri Yandell wrote: While a single page is necessary for the casual browser, why would a user of Tomcat, who wants to download Tomcat 5, want to goto a list of many other subprojects? http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.zip seems to be far more of what a user would want to see. However, it should also have the keys/signatures for that file. I'm pretty sure these aren't mirrored, so should be easy to modify closer.cgi. yep copies of the keys, sums and signatures are mirrored but users need to check the ones from minotaur. in terms of changes needed to closer.cgi, i'd definitely like to see the md5 sum on the page (rather than a link) with links to the KEYS and signature downloads but should be reasonably easy if we decide to go down this route. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
While a single page is necessary for the casual browser, why would a user of Tomcat, who wants to download Tomcat 5, want to goto a list of many other subprojects? http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.zip seems to be far more of what a user would want to see. However, it should also have the keys/signatures for that file. I'm pretty sure these aren't mirrored, so should be easy to modify closer.cgi. Then each subproject can manage a simple page with the lists of their distributions. As the actual download page will mention keys/signatures, the project-list page merely has to mention that the keys/signatures can be found on the download page. My only grumble is with: http://maven.apache.org/start/download.html It doesn't indicate that the link goes to a mirror'd download page, but suggests that clicking on said link will download. This means users will right-click and do Save-As on some occasions. Sourceforge has a similar problem. Sorry for how long it took to reply, Hen On Sun, 11 Jul 2004, robert burrell donkin wrote: > i've created a document on the wiki > (http://wiki.apache.org/jakarta/InfrastructureIssues/WebSite/ > DownloadPages). i'm happy for discussion to continue on this list but i > thought that it might be useful to have a base document. > > comment encouraged :) > > - robert > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
I was originally signing packages on the Apache server (as I wasn't used to installing PGP on machines I setup for dev work). It was recommended repeatedly that I get them off as it is a risk to the quality of the authentication. Hen On Sat, 17 Jul 2004, Howard Lewis Ship wrote: > I wish we could get away from PGP keys (though I understand it helps > limit liability). It tends to be a decidely manual step, and error > prone. I generate my PGP keys on my local machine and upload, it > might be easier if I could figure out how to get my GnuPG key > translated to a PGP key compatible with the tools on > jakarta.apache.org, so I could sign the files there. > > On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin > <[EMAIL PROTECTED]> wrote: > > On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: > > > > > > > > > BTW, I just now realized that we have a couple of releases that are > > > neither PGP signed nor accompanied by MD5 hashes, this should be > > > strongly discouraged IMHO. In particular since Ant supports > > > generation of MD5 hashes since a few years now - and so does Maven. > > > > +1 > > > > i'm not sure what can be done about it, though. maybe the pmc could > > insist that all new release have sums and signatures. > > > > > Finally I'd move the section about archived builds to the bottom as > > > well. Thinking about it, I should probably mock up a design to show > > > what I mean, will do so next week unless I get shot down before 8-) > > > > > > > cool. > > > > i've been playing around with tables so maybe i'll post up a mock > > somewhere too. > > > > - robert > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > Howard M. Lewis Ship > Independent J2EE / Open-Source Java Consultant > Creator, Jakarta Tapestry > Creator, Jakarta HiveMind > http://howardlewisship.com > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: download pages rethink
robert burrell donkin wrote: > IMO signatures are more important (than md5 sums) for the ASF and > less important for users. md5 sums are quick and easy to understand. If we were ever hacked, MD5 sums could be replaced without detection. That cannot be done with PGP keys, and we have had people e-mail our security folks when they cannot locate the key for checking. I'd sooner have files uploaded signed, and generate the MD5s locally if missing. > what would be useful is a list of fingerprints for code signing keys on > the website. it would also give an extra independent security layer. We have KEYS, which is supposed to have the public key, and we have a new server in the UK that is supposed to provide certificate based services for the ASF. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
I wish we could get away from PGP keys (though I understand it helps limit liability). It tends to be a decidely manual step, and error prone. I generate my PGP keys on my local machine and upload, it might be easier if I could figure out how to get my GnuPG key translated to a PGP key compatible with the tools on jakarta.apache.org, so I could sign the files there. On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin <[EMAIL PROTECTED]> wrote: > On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: > > > > > BTW, I just now realized that we have a couple of releases that are > > neither PGP signed nor accompanied by MD5 hashes, this should be > > strongly discouraged IMHO. In particular since Ant supports > > generation of MD5 hashes since a few years now - and so does Maven. > > +1 > > i'm not sure what can be done about it, though. maybe the pmc could > insist that all new release have sums and signatures. > > > Finally I'd move the section about archived builds to the bottom as > > well. Thinking about it, I should probably mock up a design to show > > what I mean, will do so next week unless I get shot down before 8-) > > > > cool. > > i've been playing around with tables so maybe i'll post up a mock > somewhere too. > > - robert > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Howard M. Lewis Ship Independent J2EE / Open-Source Java Consultant Creator, Jakarta Tapestry Creator, Jakarta HiveMind http://howardlewisship.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On 15 Jul 2004, at 20:51, Stefan Bodewig wrote: BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. +1 i'm not sure what can be done about it, though. maybe the pmc could insist that all new release have sums and signatures. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) cool. i've been playing around with tables so maybe i'll post up a mock somewhere too. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On 15 Jul 2004, at 21:31, Noel J. Bergman wrote: I tend to disagree with your assertion that PGP signtures are less important than MD5 signatures. But then again, given how badly connected the PGP keys used to sign most Jakarta releases are, you are probably correct. A signature by a key that hasn't been signed by anybody else isn't much better than a MD5 hash. Perhaps, but PGP signatures are better, and there are things happen to improve the ASF WoT, such as our own CA server. PGP signature and md5 sums are both important. but IMO signatures are more important (than md5 sums) for the ASF and less important for users. md5 sums are quick and easy to understand. they can be checked without installing and configuring complex software on most platforms. the results are clear. signatures (on the other hand) require the installation and configuration of sophisticated software. a level of understanding of the concepts is required before signatures can be verified effectively. (judging from personal emails to me from users) unless users are already familiar and comfortable with PGP signatures, they are far more likely to successful check a md5 sum on a download than a signature. so, i'd say that MD5 sums are the technology we should be pushing. what would be useful is a list of fingerprints for code signing keys on the website. it would also give an extra independent security layer. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
BTW, is the page generated using XSLT or Anakia? Or are both used? anakia (which limits the options) - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
- Original Message - From: "Stefan Bodewig" <[EMAIL PROTECTED]> To: "Jakarta General List" <[EMAIL PROTECTED]> Sent: Thursday, July 15, 2004 8:51 PM Subject: Re: download pages rethink > On Sun, 11 Jul 2004, robert burrell donkin > <[EMAIL PROTECTED]> wrote: > [...] > The tabular view you envision may really be more appropriate than the > long list we have right now. I wouldn't link the project names to the > KEYS files, though, at least to me the connection wouldn't be obvious. > [That was me, not Robert ...] The connection could be made obvious with some text at the beginning, e.g. "click on the project name to select its KEYS" but a separate column is perhaps better. Could perhaps introduce some new tags to organise the downloads section? Then the presentation could be readily changed. And this could make the page easier to maintain. Something like: WDYT? BTW, is the page generated using XSLT or Anakia? Or are both used? S. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: download pages rethink
> I tend to disagree with your assertion that PGP signtures are less > important than MD5 signatures. But then again, given how badly > connected the PGP keys used to sign most Jakarta releases are, you > are probably correct. A signature by a key that hasn't been signed > by anybody else isn't much better than a MD5 hash. Perhaps, but PGP signatures are better, and there are things happen to improve the ASF WoT, such as our own CA server. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: download pages rethink
On Sun, 11 Jul 2004, robert burrell donkin <[EMAIL PROTECTED]> wrote: > i'm happy for discussion to continue on this list I feel more comfortable to do so, but that may be a personal thing. Discussions need to get the use of "I" to stick to a name and the Wiki really doesn't make this easy. I tend to disagree with your assertion that PGP signtures are less important than MD5 signatures. But then again, given how badly connected the PGP keys used to sign most Jakarta releases are, you are probably correct. A signature by a key that hasn't been signed by anybody else isn't much better than a MD5 hash. BTW, I just now realized that we have a couple of releases that are neither PGP signed nor accompanied by MD5 hashes, this should be strongly discouraged IMHO. In particular since Ant supports generation of MD5 hashes since a few years now - and so does Maven. Instead of shortening the section by moving PGP, I'd rather move the whole section to the bottom of the page and just link it from the top (see the Ant page for an example). But this is hardly the only text at the top of the page that could easily be moved in order to make the actual download links more prominent. Thge description of the various types of downloads we provide could appear at the individual sections - so we don't talk about milestone and test builds to people who are really just interested in the "latest thing". We don't need to point to the news page/sites at all IMHO, that's inside the navigation anyway. And people who are interested in announcements will find the mailing list page by following the link in the navigation as well. Finally I'd move the section about archived builds to the bottom as well. Thinking about it, I should probably mock up a design to show what I mean, will do so next week unless I get shot down before 8-) The tabular view you envision may really be more appropriate than the long list we have right now. I wouldn't link the project names to the KEYS files, though, at least to me the connection wouldn't be obvious. Stefan -- http://stefanbodewig.blogger.de/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
download pages rethink
i've created a document on the wiki (http://wiki.apache.org/jakarta/InfrastructureIssues/WebSite/ DownloadPages). i'm happy for discussion to continue on this list but i thought that it might be useful to have a base document. comment encouraged :) - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
