climate-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLIMATE-951) Download pages must use HTTPS for sigs, hashes, KEYS
Date Wed, 02 May 2018 09:36:00 GMT

    [ https://issues.apache.org/jira/browse/CLIMATE-951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16460778#comment-16460778
] 

Sebb commented on CLIMATE-951:
------------------------------

Thanks, however I think the sentence:

"We encourage you to verify your release when you use the software."

does not read well and is not strong enough: it's essential to do the verification *before*
deployment and use.

See http://httpd.apache.org/download.cgi or https://tomcat.apache.org/download-90.cgi which
say:

"You must verify the integrity of the downloaded files."

> Download pages must use HTTPS for sigs, hashes, KEYS
> ----------------------------------------------------
>
>                 Key: CLIMATE-951
>                 URL: https://issues.apache.org/jira/browse/CLIMATE-951
>             Project: Apache Open Climate Workbench
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>         Environment: http://climate.apache.org/downloads.html
>            Reporter: Sebb
>            Assignee: Lewis John McGibbney
>            Priority: Major
>             Fix For: 1.4.0
>
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they should use
https.
> Also the gpg command should read:
> gpg --verify <artifact>.asc <artifact>
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures
> Further, this sentence links to the same archives twice:
> "If you are looking for previous releases of Apache OCW, have a look in the Apache Archives,
or alternatively for even older releases check out the Apache archives."
> Did you mean the second link to reference the incubator archives at http://archive.apache.org/dist/incubator/climate/?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message