ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <>
Subject Re: Publishing metalinks on the download page
Date Thu, 03 Sep 2009 14:54:24 GMT
On 2009-09-03, Bram Neijt <> wrote:

> You are correct that you won't benefit from publishing metalinks, but
> your users might.

Which would benefit Ant ...  But I'm not convinced 8-)

> One of the failures a redirect/GeoIP based approach can't solve for
> the user is possible firewall problems. The user may be behind a
> firewall which restricts to HTTP connetions, not knowing that for sure
> he/she would have to try the GeoIP suggestion.

If you look at the actual download page it will list HTTP mirrors first
(since ftp mirrors are so 20th century anyway, I guess).  Most users
will have stopped before reaching the ftp mirrors.

> Another benefit is that the download client can also verify the
> download afterwards,

This depends on my level of paranoia.  Do I want to trust md5 or sha1
hashes at all?  Does the client speak OpenPGP for a stronger checksum
algorithm (unless the signer is in my web of trust, the signature isn't
more than that)?

> without the user having to run any extra commands after the download
> finished.

Do I tust the download client? ;-;

> About the digest information coming from a reliable central source, you
> are already doing that with your download page by pointing only to the
> central MD4/SHA1/signature files. I've rewritten the page to keep other
> people from getting confused about that :)


I think in the ASF's case dynmirror doesn't really help.  The list of
mirrors is dynamic and mirrors come and go (e.g. they may get removed if
they don't sync fast enough) and we like to keep it that way.  The
specific ASF projects (like Ant) aren't even aware of the process.

If I understand dynmirror correctly it would accept any download URL as
a mirror if it can provide matching filenames and MD5 checksums, is that
correct?  This would allow mirrors to add themselves that are not
"approved" (they may want to show ads we don't like for example).

If my understanding is correct it would also allow me to create a trojan
distribution of some software if I manage to create MD5 checksums that
match the original distribution - given that creating hash collisions in
MD5 isn't that difficult for a well-funded bad-guy, this is something
I'd be concerned about.  Given its adoption Apache httpd looks like a
very attractive target for inserting a backdoor, so the well-funded
bad-guy isn't that far-fetched IMHO.

Let's say I hope my understanding is wrong.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message