Re: download pages rethink

2004-07-19 Thread Stefan Bodewig 
On Thu, 15 Jul 2004, Noel J. Bergman <[EMAIL PROTECTED]> wrote:

>> I tend to disagree with your assertion that PGP signtures are less
>> important than MD5 signatures.  But then again, given how badly
>> connected the PGP keys used to sign most Jakarta releases are, you
>> are probably correct.  A signature by a key that hasn't been signed
>> by anybody else isn't much better than a MD5 hash.
> 
> Perhaps, but PGP signatures are better,

See my first sentence in the paragraph you quoted 8-)

> and there are things happen to improve the ASF WoT, such as our own
> CA server.

Yep, but right now they are not really better than MD5 hashes.

Stefan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: download pages rethink

2004-07-19 Thread Henning Schmiedehausen 
I keep the keys that I've used to sign the releases that I have done on
a floppy disk away from any networked system. If you have the sign keys
on an Apache server and if these servers ever get hacked (and it _will_
happen), then you have compromised the whole chain of trust. 

I very much prefer to keep the signing keys away from networked
infrastructure.

Regards
Henning


On Sun, 2004-07-18 at 01:32, Howard Lewis Ship wrote:
> I wish we could get away from PGP keys (though I understand it helps
> limit liability). It tends to be a decidely manual step, and error
> prone.  I generate my PGP keys on my local machine and upload, it
> might be easier if I could figure out how to get my GnuPG key
> translated to a PGP key compatible with the tools on
> jakarta.apache.org, so I could sign the files there.
> 
> On Sat, 17 Jul 2004 12:25:20 +0100, robert burrell donkin
> <[EMAIL PROTECTED]> wrote:
> > On 15 Jul 2004, at 20:51, Stefan Bodewig wrote:
> > 
> > 
> > 
> > > BTW, I just now realized that we have a couple of releases that are
> > > neither PGP signed nor accompanied by MD5 hashes, this should be
> > > strongly discouraged IMHO.  In particular since Ant supports
> > > generation of MD5 hashes since a few years now - and so does Maven.
> > 
> > +1
> > 
> > i'm not sure what can be done about it, though. maybe the pmc could
> > insist that all new release have sums and signatures.
> > 
> > > Finally I'd move the section about archived builds to the bottom as
> > > well.  Thinking about it, I should probably mock up a design to show
> > > what I mean, will do so next week unless I get shot down before 8-)
> > >
> > 
> > cool.
> > 
> > i've been playing around with tables so maybe i'll post up a mock
> > somewhere too.
> > 
> > - robert
> > 
> > 
> > 
> > 
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > 
> > 
-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen  INTERMETA GmbH
[EMAIL PROTECTED]+49 9131 50 654 0   http://www.intermeta.de/
 
RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

"Fighting for one's political stand is an honorable action, but re-
 fusing to acknowledge that there might be weaknesses in one's
 position - in order to identify them so that they can be remedied -
 is a large enough problem with the Open Source movement that it
 deserves to be on this list of the top five problems."
   --Michelle Levesque, "Fundamental Issues with
Open Source Software Development"


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[Jakarta Wiki] Updated: JakartaBoardReport-July2004

2004-07-19 Thread general 
   Date: 2004-07-19T09:34:27
   Editor: DanielSavarese <[EMAIL PROTECTED]>
   Wiki: Jakarta Wiki
   Page: JakartaBoardReport-July2004
   URL: http://wiki.apache.org/jakarta/JakartaBoardReport-July2004

   no comment

Change Log:

--
@@ -116,9 +116,15 @@
 
 Lucene 1.4 Final has been released.
 
- ORO ** 
+ ORO 
 
-The ORO list was largely quiet over the last quarter.
+Pattern matching engine factories were added in response to needs expressed
+by Commons, including a wrapper for J2SE 1.4 java.util.regex.  Also, subpackages
+were separated out into separate jars for users who need only one pattern matching
+engine and are sensitive to jar file size.  A combined jar with everything is still
+provided as users fall into two camps on this issues.  More discussion of ORO has
+occurred on commons-dev than on oro-dev recently.  There's no ETA for the next
+release, which will probably be version 2.1.
 
  POI 
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]