On Sep 17, 2008, at 5:32 PM, Henning Schmiedehausen wrote:
The only way around that I can see right away in a heavily mirrored
system, is to pull the signatures (and probably even the checksums)
from
central all the time. Which represents a single point of failure and a
non-scaling element.
This item has been out for discussion for a few weeks. Please
indicate your preference for accepting VCL to the Incubator. Proposal
is included below for posterity. We're looking for a few more
mentors. If there is discussion please create a parallel [DISCUSS]
thread.
[ ] +1 Accept VC
Hi,
On Thu, Sep 18, 2008 at 11:41 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Since the hash is not security, it's not terribly important, eh?
Hashes are a perfect tool for verifying message integrity. They won't
prove origin like signatures do, but verifiable integrity is hardly
*not*
On Wed, 17 Sep 2008, Rainer Döbele wrote:
With the struts-extentions we're in a dilemma. It won't build without
servlet-api.jar and jsp-api.jar. There is an info file that informs the
user about the requirement for these two jars.
Can you point this file out to me ? I am too stupid to find
Hiram Chirino wrote:
Agreed. I never argued against this. But I fail to see the point?
Are you saying initial trust is hard to secure? I totally agree on
that point. You have any solutions?
Yes. You sign your package locally, never on the remote system. The ASF
hardware must never have y
On Thu, Sep 18, 2008 at 4:57 PM, sebb <[EMAIL PROTECTED]> wrote:
> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
>>
>> <[EMAIL PROTECTED]> wrote:
>>
>> > Hiram Chirino wrote:
>> >>
>> >> So the responsibility is still on us, the u
Trust me I'm not trying to be difficult..
On Thu, Sep 18, 2008 at 4:53 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Hiram, I wish you would desist already from debating positions that you
> can't defend...
>
> Hiram Chirino wrote:
>>
>> On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTEC
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
>
> <[EMAIL PROTECTED]> wrote:
>
> > Hiram Chirino wrote:
> >>
> >> So the responsibility is still on us, the upstream distributor, to
> >> verify the the checksums we list in our sour
0. There were good reasons for both sides.
Regards,
Thomas
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hiram, I wish you would desist already from debating positions that you
can't defend...
Hiram Chirino wrote:
On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTECTED]> wrote:
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
So the responsibility is still on us, the upstream distributor,
Conversely and more defendable, we could decide that anything with a
transitive dependency hull that is not completely contained by central
cannot be hosted in central. This is yet another approach to nuking the
issue. The unfortunate side-effect would be to exclude all apache (and
other) artifacts
On Thu, Sep 18, 2008 at 3:07 PM, sebb <[EMAIL PROTECTED]> wrote:
> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> On Thu, Sep 18, 2008 at 10:59 AM, sebb <[EMAIL PROTECTED]> wrote:
>> > On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> >> On Wed, Sep 17, 2008 at 9:42 PM, Willi
Right.. It's part of the source distro or SVN.
On Thu, Sep 18, 2008 at 3:10 PM, Jukka Zitting <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Thu, Sep 18, 2008 at 9:08 PM, sebb <[EMAIL PROTECTED]> wrote:
>>> The checksums are _not_ downloaded from the Maven repository.
>>
>> So where are they stored?
>
>
On Thu, Sep 18, 2008 at 2:26 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Hiram Chirino wrote:
>>
>> So the responsibility is still on us, the upstream distributor, to
>> verify the the checksums we list in our source distro are correct.
>> But at least by doing this, down stream users of
Hi,
On Thu, Sep 18, 2008 at 9:08 PM, sebb <[EMAIL PROTECTED]> wrote:
>> The checksums are _not_ downloaded from the Maven repository.
>
> So where are they stored?
For example in our svn or signed source release packages. Along with
the source code.
BR,
Jukka Zitting
-
On 18/09/2008, Jukka Zitting <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
>
> <[EMAIL PROTECTED]> wrote:
>
> > Not if there is a man in the middle attack. If you didn't notice the
> > recent noise w.r.t. DNS pollution, that's the very point of that v
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 18, 2008 at 10:59 AM, sebb <[EMAIL PROTECTED]> wrote:
> > On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> >> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
> >>
> >> <[EMAIL PROTECTED]> wrote:
> >>
> >> > S
Hi,
On Thu, Sep 18, 2008 at 8:26 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Not if there is a man in the middle attack. If you didn't notice the
> recent noise w.r.t. DNS pollution, that's the very point of that vector.
> Had it been exploited, tens of thousands of download users could
On Thu, Sep 18, 2008 at 10:26 AM, Daniel Kulp <[EMAIL PROTECTED]> wrote:
> On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
> > "but they cannot require third parties to not sync it into their
> > repos." --> Is this something Maven PMC is
> > thinking-about/voted-on/discussing? ba
On 18/09/2008, Daniel Kulp <[EMAIL PROTECTED]> wrote:
>
> You spelled artifacts wrong:
They are both valid spellings.
> Verify downloaded artefacts
> other than that, looks good.
>
> Looks like a couple of graduated projects (cxf and tuscany) might want to
> consider removing their incubator
Hiram Chirino wrote:
So the responsibility is still on us, the upstream distributor, to
verify the the checksums we list in our source distro are correct.
But at least by doing this, down stream users of our source distros
can rest assured that the dependencies that they are using are the
correc
You spelled artifacts wrong:
Verify downloaded artefacts
other than that, looks good.
Looks like a couple of graduated projects (cxf and tuscany) might want to
consider removing their incubator artifacts (they are in the archive).
Dan
On Thursday 18 September 2008 12:36:58 am David Cross
On Thu, Sep 18, 2008 at 10:59 AM, sebb <[EMAIL PROTECTED]> wrote:
> On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
>> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
>>
>> <[EMAIL PROTECTED]> wrote:
>>
>> > Similarly, the issue of signature validation is a significant flaw which
>>
On Thu, Sep 18, 2008 at 5:36 AM, David Crossley <[EMAIL PROTECTED]> wrote:
> I noticed that the apache.org/dist/incubator distribution area
> had no header file to explain itself. Hence each mirror was
> missing that information.
>
> I created it now, modelling it on other ASF distribution areas.
>
On Thu, 2008-09-18 at 11:00 +0200, Rainer Döbele wrote:
> Does anyone know where to obtain distributable versions of the
> servlet-api.jar and jsp-api.jar from? The only implementations I know come
> from Sun Microsystems and are under CDDL License.
Tomcat is shipping implementations, so there
point taken.
-- dims
On Thu, Sep 18, 2008 at 1:26 PM, Daniel Kulp <[EMAIL PROTECTED]> wrote:
> On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
>> "but they cannot require third parties to not sync it into their
>> repos." --> Is this something Maven PMC is
>> thinking-about/voted
On Thursday 18 September 2008 1:14:53 pm Davanum Srinivas wrote:
> "but they cannot require third parties to not sync it into their
> repos." --> Is this something Maven PMC is
> thinking-about/voted-on/discussing? basically overriding the current
> un-written policy of the incubator? Please let us
"but they cannot require third parties to not sync it into their
repos." --> Is this something Maven PMC is
thinking-about/voted-on/discussing? basically overriding the current
un-written policy of the incubator? Please let us know.
thanks,
dims
On Thu, Sep 18, 2008 at 11:17 AM, Daniel Kulp <[EMA
On Thu, Sep 18, 2008 at 1:48 AM, Gilles Scokart <[EMAIL PROTECTED]> wrote:
> I think the vote (and discussions) about the use of extra distribution
> channel is going in a bad direction.
>
> I would like to try to summarize the two positions, see if we could
> not reconcile the two positions and f
Gilles Scokart wrote:
2008/9/15 William A. Rowe, Jr. <[EMAIL PROTECTED]>:
Brett Porter wrote:
For the releases to be identified as from the incubator, they'll need to
be
signed solely by "the incubator". Did you want to elaborate on how you
anticipated that set up working?
With PGP it's a web
On Thu, Sep 10, 2008 at 9:34 AM, "Jukka Zitting"
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> We've had a number of long discussions about the incubating projects
> using the central Maven repository to distribute their releases. The
> current policy is that incubating releases should not go to there. The
On Wednesday 17 September 2008 8:05:40 pm Henning Schmiedehausen wrote:
> > Thus:
> > If the central maven repository maintainers (Maven PMC) decide to put
> > incubator artifacts into their repository without a click through "this
> > is incubator code" disclaimer, we'd have no legal reason to say
Steve,
[reposting as per steve]
Is there any interest in developing GUI/command-line tools that an
end-user can actually use as part of the project? Or is it just the
API+RI?
thanks,
dims
On Thu, Sep 18, 2008 at 7:33 AM, Steve Poole <[EMAIL PROTECTED]> wrote:
> Greetings, I have just posted to
On 18/09/2008, Hiram Chirino <[EMAIL PROTECTED]> wrote:
> On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
>
> <[EMAIL PROTECTED]> wrote:
>
> > Similarly, the issue of signature validation is a significant flaw which
> > I also hope maven addresses even more promptly, and which they are aware
+1 (non-binding)
The current policy is silly.
On Wed, Sep 10, 2008 at 8:34 AM, Jukka Zitting <[EMAIL PROTECTED]>wrote:
> Hi,
>
> We've had a number of long discussions about the incubating projects
> using the central Maven repository to distribute their releases. The
> current policy is that in
On Wed, Sep 17, 2008 at 9:42 PM, William A. Rowe, Jr.
<[EMAIL PROTECTED]> wrote:
> Similarly, the issue of signature validation is a significant flaw which
> I also hope maven addresses even more promptly, and which they are aware
> of. The alternatives are to take down maven until it is secure, o
On Wed, Sep 10, 2008 at 2:34 AM, Jukka Zitting <[EMAIL PROTECTED]>wrote:
> Hi,
>
> Please vote on accepting or rejecting this policy change! This
> majority vote is open for a week and only votes from the Incubator PMC
> members are binding.
>
> [ ] +1 Yes, allow extra release distribution channel
Steve,
Is there any interest in developing GUI/command-line tools that an
end-user can actually use as part of the project? Or is it just the
API+RI?
thanks,
dims
On Thu, Sep 18, 2008 at 5:01 AM, Steve Poole <[EMAIL PROTECTED]> wrote:
> Greetings, I have just posted to the Incubator wiki a draf
Greetings, I have just posted to the Incubator wiki a draft project
proposal. http://wiki.apache.org/incubator/KatoProposal
The proposal abstract states
"Kato is a project to develop the Specification, Reference Implementation
and Technology Compatibility Kit for JSR 326: Post-mortem JVM
I've somehow managed to attach this note to another thread so I'll repost
the original as a top level email.
Steve Poole
Steve Poole/UK/[EMAIL PROTECTED]
18/09/2008 10:01
Please respond to
general@incubator.apache.org
To
general@incubator.apache.org
cc
Subject
new draft Incubator projec
Gilles,
Sorry. "they don't use the apache name." is a non-starter for me :(
-- dims
On Thu, Sep 18, 2008 at 4:48 AM, Gilles Scokart <[EMAIL PROTECTED]> wrote:
> I think the vote (and discussions) about the use of extra distribution
> channel is going in a bad direction.
>
> I would like to try t
Greetings, I have just posted to the Incubator wiki a draft project
proposal. http://wiki.apache.org/incubator/KatoProposal
The proposal abstract states
"Kato is a project to develop the Specification, Reference Implementation
and Technology Compatibility Kit for JSR 326: Post-mortem JVM
Thank you Henning very much for your helpful comments on the servlet-api.jar
and jsp-api.jar problem. Obviously there is a lot to learn for us about build
scripts.
Hening wrote:
> ... Or you can bundle them with your source code; there are
> distributable versions of the APIs.
Does anyone know
I think the vote (and discussions) about the use of extra distribution
channel is going in a bad direction.
I would like to try to summarize the two positions, see if we could
not reconcile the two positions and found a better consensus.
Here is what the 2 camps say:
+1 : say:
- We can no
On Thu, Sep 18, 2008 at 4:57 AM, Noel J. Bergman <[EMAIL PROTECTED]> wrote:
> William A. Rowe, Jr. wrote:
>
> > Noel J. Bergman wrote:
> >>> The current tally is extremely close (9 +1 vs. 8 -1 binding)
> >>> I don't want to close an issue with such a small margin.
> >> I suggest that we should not
45 matches
Mail list logo
