On Thu, 15 Jul 2004, Noel J. Bergman [EMAIL PROTECTED] wrote:
I tend to disagree with your assertion that PGP signtures are less
important than MD5 signatures. But then again, given how badly
connected the PGP keys used to sign most Jakarta releases are, you
are probably correct. A
I keep the keys that I've used to sign the releases that I have done on
a floppy disk away from any networked system. If you have the sign keys
on an Apache server and if these servers ever get hacked (and it _will_
happen), then you have compromised the whole chain of trust.
I very much prefer
On 18 Jul 2004, at 04:14, Henri Yandell wrote:
While a single page is necessary for the casual browser, why would a
user
of Tomcat, who wants to download Tomcat 5, want to goto a list of many
other subprojects?
http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.zip
seems to be far
On 15 Jul 2004, at 20:51, Stefan Bodewig wrote:
snip
BTW, I just now realized that we have a couple of releases that are
neither PGP signed nor accompanied by MD5 hashes, this should be
strongly discouraged IMHO. In particular since Ant supports
generation of MD5 hashes since a few years now -
I wish we could get away from PGP keys (though I understand it helps
limit liability). It tends to be a decidely manual step, and error
prone. I generate my PGP keys on my local machine and upload, it
might be easier if I could figure out how to get my GnuPG key
translated to a PGP key compatible
robert burrell donkin wrote:
IMO signatures are more important (than md5 sums) for the ASF and
less important for users. md5 sums are quick and easy to understand.
If we were ever hacked, MD5 sums could be replaced without detection. That
cannot be done with PGP keys, and we have had people
I was originally signing packages on the Apache server (as I wasn't used
to installing PGP on machines I setup for dev work). It was recommended
repeatedly that I get them off as it is a risk to the quality of the
authentication.
Hen
On Sat, 17 Jul 2004, Howard Lewis Ship wrote:
I wish we
While a single page is necessary for the casual browser, why would a user
of Tomcat, who wants to download Tomcat 5, want to goto a list of many
other subprojects?
http://www.apache.org/dyn/closer.cgi/maven/binaries/maven-1.0.zip
seems to be far more of what a user would want to see. However,
On Sun, 11 Jul 2004, robert burrell donkin
[EMAIL PROTECTED] wrote:
i'm happy for discussion to continue on this list
I feel more comfortable to do so, but that may be a personal thing.
Discussions need to get the use of I to stick to a name and the Wiki
really doesn't make this easy.
I tend
i've created a document on the wiki
(http://wiki.apache.org/jakarta/InfrastructureIssues/WebSite/
DownloadPages). i'm happy for discussion to continue on this list but i
thought that it might be useful to have a base document.
comment encouraged :)
- robert
10 matches
Mail list logo
