bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Binary File Download Authentication


From: Conrad T. Pino
Subject: Binary File Download Authentication
Date: Fri, 28 Jan 2005 17:02:55 -0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Derek & Larry,

There are technical issues with Apache and browsers
that lead to this and Collab Net is willing make
adjustments to Apache if so warranted.

Before we ask anyone to commit technical time I'd
like us to be clear on our objective.  Since we're
the only three that upload to the CVS Home download
area, the objective must fall within what we can
support.

Keeping the above in mind let's consider:

1. Derek sets the tempo and is very consistent about
providing PGP "*.sig" files AND a "Checksums" file
with both MD5 and SHA1 values for source tar balls.

2. The "Checksums" files generated use the UNIX new
line convention, an impediment to Microsoft users.

3. The "Checksums" files contain data for compressed
version of their respective files, an impediment to
browsers that decompress the file.  In practice this
doesn't occur for source tar balls and I've enumerated
it to contrast with binary files where the issue does
occur.

4. I provide "*.sig" files for my uploads because I
have the tool and I'm partially imitating Derek.

5. I don't provide "Checksums" because I don't have
Windows tools for them.   I do have the MD5 and SHA1
tools to generate them on my NetBSD box.

6. The files Larry uploads have no authentication data.

7. Between Apache and browsers some users get compressed
files and other uncompressed files and we don't have a
complete picture of the browsers.  We could provide data
for compressed and uncompressed files and let the users
sort it out for themselves.  I'm not advocating this one
and mention it only for completeness.

The above enumeration represents all the "discrepancies"
I'm aware of with respect to authenticating downloaded
files.  I'm NOT advocating we resolve all of them.

I do advocate we converge on an objective that's useful
and sustainable and put that into consistent practice.

Please view "consistent practice" as a group objective.
We can help each other fill in missing details so long
as 1 piece of authentication data is available.

Best regards,

Conrad

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfrgv7NM28ubzTo9EQJvFgCfbTVz2VpAS5a6QPXiXbWJiMA/lNUAniUP
UeU2pEZQa49h+iYGabrXjKzK
=MRFc
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]