[RELEASE]: download page on the AOO project webpage
Hi, we want probably a download link/page on our Apache project page http://incubator.apache.org/openofficeorg/ For example in the navigation bar About Downloads License ... On this page I would propose that we link to the src release packages and a second section for the binaries where we simply link to the download page on www.openoffice.org I am currently preparing a downloads.mdtext file and it should look a little bit like the src dev snaphot build page http://people.apache.org/~jsc/developer-snapshots/src_releases/srcrelease.html Any ideas, comments or opinions Juergen
Re: [RELEASE]: download page on the AOO project webpage
Hi, On May 4, 2012, at 4:10 AM, Jürgen Schmidt wrote: Hi, we want probably a download link/page on our Apache project page http://incubator.apache.org/openofficeorg/ I was planning to do something similar, but $job and RSI has intruded. For example in the navigation bar About Downloads License ... On this page I would propose that we link to the src release packages and a second section for the binaries where we simply link to the download page on www.openoffice.org I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I am currently preparing a downloads.mdtext file and it should look a little bit like the src dev snaphot build page http://people.apache.org/~jsc/developer-snapshots/src_releases/srcrelease.html Sure. Any ideas, comments or opinions I think that in the mdtext rather than using [1] numeric links you should use links that are descriptive eg. [cur_mac_en_us] I did a bunch of CMS documentation at work using tags like this and it works well. Point me to your downloads.mdtext when you are ready and I'll enhance. Over time we should be able to make the CMS generate the table and links from an XML or tab delimited table of what's currently available. Best Regards, Dave Juergen
Re: [RELEASE]: download page on the AOO project webpage
On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell
Re: [RELEASE]: download page on the AOO project webpage
On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell
Re: [RELEASE]: download page on the AOO project webpage
On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell
Re: [RELEASE]: download page on the AOO project webpage
On Fri, May 4, 2012 at 12:47 PM, Dave Fisher dave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell
Re: [RELEASE]: download page on the AOO project webpage
On Fri, May 4, 2012 at 6:55 PM, Rob Weir robw...@apache.org wrote: On Fri, May 4, 2012 at 12:47 PM, Dave Fisher dave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. My understanding from past conversations on the binaries topic is that we'll have SourceForge serving binaries, and MirrorBrain serving updates. This will make easy to track downloads and have meaningful stats. Roberto A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell -- This e- mail message is intended only for the named recipient(s) above. It may contain confidential and privileged information. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you.
Re: [RELEASE]: download page on the AOO project webpage
On Fri, May 4, 2012 at 1:02 PM, Roberto Galoppini rgalopp...@geek.net wrote: On Fri, May 4, 2012 at 6:55 PM, Rob Weir robw...@apache.org wrote: On Fri, May 4, 2012 at 12:47 PM, Dave Fisher dave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. My understanding from past conversations on the binaries topic is that we'll have SourceForge serving binaries, and MirrorBrain serving updates. This will make easy to track downloads and have meaningful stats. And Apache mirrors serving source code tarbars and SDK downloads. And Apache /dist serving the hashes for verification Does anyone object to that as the plan? -Rob Roberto A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell -- This e- mail message is intended only for the named recipient(s) above. It may contain confidential and privileged information. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you.
Re: [RELEASE]: download page on the AOO project webpage
On May 4, 2012, at 10:02 AM, Roberto Galoppini wrote: On Fri, May 4, 2012 at 6:55 PM, Rob Weir robw...@apache.org wrote: On Fri, May 4, 2012 at 12:47 PM, Dave Fisher dave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. My understanding from past conversations on the binaries topic is that we'll have SourceForge serving binaries, and MirrorBrain serving updates. This will make easy to track downloads and have meaningful stats. This is mainly about source. I believe that we must use the Apache Mirrors for Source and it makes sense to use it for the SDK. Initially we discussed source on the project site and binary on openoffice.org, but that was quite some awhile ago. Consider the binary part to be an experiment in automating the production of these other pages. It can be turned off, or reused on download.openoffice.org (www.openoffice.org/download/) It is also my understanding that the main reason was not to mix between mirrors so that we are able to debug the process if there are problems. That was the argument that swayed me. Nothing negative about SF, but I think we need to be able to use the Apache Mirrors. These operators have been ask to opt-in to taking the AOO artifacts. Will they host our project if no traffic is ever sent there. Whether we expose that can be a future question. Regards, Dave Roberto A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell -- This e- mail message is intended only for the named recipient(s) above. It may contain confidential and privileged information. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you.
Re: [RELEASE]: download page on the AOO project webpage
On May 4, 2012, at 10:14 AM, Rob Weir wrote: On Fri, May 4, 2012 at 1:02 PM, Roberto Galoppini rgalopp...@geek.net wrote: On Fri, May 4, 2012 at 6:55 PM, Rob Weir robw...@apache.org wrote: On Fri, May 4, 2012 at 12:47 PM, Dave Fisher dave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassia fcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisher dave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. My understanding from past conversations on the binaries topic is that we'll have SourceForge serving binaries, and MirrorBrain serving updates. This will make easy to track downloads and have meaningful stats. And Apache mirrors serving source code tarbars and SDK downloads. And Apache /dist serving the hashes for verification Does anyone object to that as the plan? No. Where should the Source/SDK download page live? Project Site or www.openoffice.org/download/source/? Does anyone object to a hidden page that is an experiment in producing download pages from a file that describes the release package? That file can have the mirror policy for each type of artifact. I would also like to remove as much of the page javascript as possible. Regards, Dave -Rob Roberto A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell -- This e- mail message is intended only for the named recipient(s) above. It may contain confidential and privileged information. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you.
Re: [RELEASE]: download page on the AOO project webpage
On Fri, May 4, 2012 at 1:40 PM, Rob Weir robw...@apache.org wrote: A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. 3) The detached signatures and hashes, Thanks Rob!, Makes sense to distribute the binaries using SF, and the sources from the apache mirrors. I misunderstood the OP as a change of plans wrt SF.net FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell
Re: [RELEASE]: download page on the AOO project webpage
Am 05/04/2012 07:31 PM, schrieb Dave Fisher: On May 4, 2012, at 10:14 AM, Rob Weir wrote: On Fri, May 4, 2012 at 1:02 PM, Roberto Galoppinirgalopp...@geek.net wrote: On Fri, May 4, 2012 at 6:55 PM, Rob Weirrobw...@apache.org wrote: On Fri, May 4, 2012 at 12:47 PM, Dave Fisherdave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassiafcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisherdave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. My understanding from past conversations on the binaries topic is that we'll have SourceForge serving binaries, and MirrorBrain serving updates. This will make easy to track downloads and have meaningful stats. And Apache mirrors serving source code tarbars and SDK downloads. And Apache /dist serving the hashes for verification Does anyone object to that as the plan? No. Where should the Source/SDK download page live? Project Site or www.openoffice.org/download/source/? This webpage already exist. Of course needs a complete rework for AOO 3.4.0. Furthermore, previously all files were available together on the other.html. Currently I plan to continue this. Does anyone object to a hidden page that is an experiment in producing download pages from a file that describes the release package? That file can have the mirror policy for each type of artifact. I don't know what the need is to hide a webpage. I would also like to remove as much of the page javascript as possible. From all webpages but the index.html? I tend to agree. Marcus A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC
Re: [RELEASE]: download page on the AOO project webpage
Am 05/04/2012 01:10 PM, schrieb Jürgen Schmidt: Hi, we want probably a download link/page on our Apache project page http://incubator.apache.org/openofficeorg/ For example in the navigation bar About Downloads License ... On this page I would propose that we link to the src release packages and a second section for the binaries where we simply link to the download page on www.openoffice.org I am currently preparing a downloads.mdtext file and it should look a little bit like the src dev snaphot build page http://people.apache.org/~jsc/developer-snapshots/src_releases/srcrelease.html Any ideas, comments or opinions I would keep all downloadable files (binaries, SDK, source, checksums) in a single area. This makes it easier to maintain this stuff and to reduce the complexity of the DL logic. So, yes to a download link on the podling page. But only as redirect to the real download webpages. My 2 ct. Marcus
Re: [RELEASE]: download page on the AOO project webpage
On May 4, 2012, at 1:26 PM, Marcus (OOo) wrote: Am 05/04/2012 07:31 PM, schrieb Dave Fisher: On May 4, 2012, at 10:14 AM, Rob Weir wrote: On Fri, May 4, 2012 at 1:02 PM, Roberto Galoppinirgalopp...@geek.net wrote: On Fri, May 4, 2012 at 6:55 PM, Rob Weirrobw...@apache.org wrote: On Fri, May 4, 2012 at 12:47 PM, Dave Fisherdave2w...@comcast.net wrote: On May 4, 2012, at 9:40 AM, Rob Weir wrote: On Fri, May 4, 2012 at 12:16 PM, Fernando Cassiafcas...@gmail.com wrote: On Fri, May 4, 2012 at 12:46 PM, Dave Fisherdave2w...@comcast.net wrote: I think we should offer mappings and have this page definitely download via the Apache mirrors. I know what to do to make this work with the Apache mirror cgi. I think I had read somewhere about Apache choosing to use SourceForge's network of mirrors around the world for distribution? That is correct for the www.openoffice.org/download/ main download page. The legacy 3.3 binaries should continue to be available from the MirrorBrain network. A portion of the Apache Mirrors will also seed AOO. The page being discussed here is on the project site at incubator.apache.org/openofficeorg/. This page will serve through the Apache Mirrors. The mirror operators are seeding these large binaries and we need to use those as well. No. no. no. We're trying to reduce the number of places where download logic lives. If we have a download link for AOO on the incubator page it should just point to the download.openoffice.org. My understanding from past conversations on the binaries topic is that we'll have SourceForge serving binaries, and MirrorBrain serving updates. This will make easy to track downloads and have meaningful stats. And Apache mirrors serving source code tarbars and SDK downloads. And Apache /dist serving the hashes for verification Does anyone object to that as the plan? No. Where should the Source/SDK download page live? Project Site or www.openoffice.org/download/source/? This webpage already exist. Of course needs a complete rework for AOO 3.4.0. Furthermore, previously all files were available together on the other.html. Currently I plan to continue this. Does anyone object to a hidden page that is an experiment in producing download pages from a file that describes the release package? That file can have the mirror policy for each type of artifact. I don't know what the need is to hide a webpage. By hide I mean, it will be an experiment. I would also like to remove as much of the page javascript as possible. From all webpages but the index.html? I tend to agree. As an experiment it will be a new version of other. It will take some time and I plan to proceed similarly to Jürgen. For now, I'm silent. Regards, Dave Marcus A distribution consists of several pieces: 1) The binaries, i.e., the install images. These are served up via SourceForge 2) The source tarballs -- These could go out via Apache mirror network if we want. Or SourceForge. Is will be very low volume in either case. I'm for doing Source and SDK on the Apache Mirrors. 3) The detached signatures and hashes, For these we must link our page to the Apache copies on /dist. This is an essential part of the verification model. This is how the user is protected against a rogue mirror operator or a man-in-the-middle attack, They can always verify their download against the authoritative hashes and signature on the Apache server. This is a key point and should probably be a separate thread. Regards, Dave -Rob FC
Re: [RELEASE]: download page on the AOO project webpage
On 04/05/2012 Rob Weir wrote: And Apache /dist serving the hashes for verification This is surely OK, but the project policy at OpenOffice.org was to additionally send an e-mail to a public list (it would be ooo-dev with the current settings) with all checksums. While it may sound odd, it makes sense since the list is publicly archived in several places, so if the website is hacked (or simply if its revision history is lost due to migration, like it recently happened for openoffice.org) it is always possible to verify that an OpenOffice download is genuine. Regards, Andrea.
Re: [RELEASE]: download page on the AOO project webpage
On May 4, 2012, at 4:16 PM, Andrea Pescetti wrote: On 04/05/2012 Rob Weir wrote: And Apache /dist serving the hashes for verification This is surely OK, but the project policy at OpenOffice.org was to additionally send an e-mail to a public list (it would be ooo-dev with the current settings) with all checksums. While it may sound odd, it makes sense since the list is publicly archived in several places, so if the website is hacked (or simply if its revision history is lost due to migration, like it recently happened for openoffice.org) it is always possible to verify that an OpenOffice download is genuine. The ASF works very hard at protecting the integrity of /dist. It should be considered safe. Both /dist and the site are in svn. As long as the project is keeping an eye on commit logs we can be pretty sure to catch any bad changes through a committer id. Multiples that are the same distributed all over are good too. The mirrors serve that purpose. Best would be digitally signed packages. If you watch Foundation lists, you'll know that such signing is being discussed. WIth that this business of checksums goes away. But nothing wrong with email. Regards, Dave Regards, Andrea.
