cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
Date Fri, 09 Feb 2018 16:26:00 GMT
Sebb created CLOUDSTACK-10280:
---------------------------------

             Summary: Please use HTTPS for KEYS, sigs and hashes
                 Key: CLOUDSTACK-10280
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
             Project: CloudStack
          Issue Type: Improvement
      Security Level: Public (Anyone can view this level - this is the default.)
            Reporter: Sebb


The download page is generally fine.

However the links to the KEYS, sigs (PGP) and hashes use http; ideally they should use https.

Also the gpg command should read:

gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc apache-cloudstack-X.X.X-src.tar.bz2

i.e. both the detached sig and the artifact itself should be specified.
See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message