commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benedikt Ritter <brit...@apache.org>
Subject Re: [site][build-plugin] Keys link link on download page
Date Wed, 31 Dec 2014 14:59:19 GMT
Hey Bernd,

note that the readme and contributing goals still don't really work for
multi module projects. But I think that can be fixed in the next release if
anybody has the time?

Benedikt

2014-12-29 21:58 GMT+01:00 Bernd Eckenfels <ecki@zusammenkunft.net>:

> Hello sebb,
>
> ok I can amend my changes to add this. I will wait a day to see if more
> issues come up.
>
> I was trying to be brief as we have the validation
> page explaining all, but it might be good to be a bit verbose here.
>
> Gruss
> Bernd
>
>
>  Am Mon, 29 Dec 2014 20:51:21 +0000
> schrieb sebb <sebbaz@gmail.com>:
>
> > On 29 December 2014 at 20:13, Bernd Eckenfels
> > <ecki@zusammenkunft.net> wrote:
> > > Am Mon, 29 Dec 2014 20:01:29 +0000
> > > schrieb sebb <sebbaz@gmail.com>:
> > >
> > >> On 29 December 2014 at 19:48, Bernd Eckenfels
> > >> <ecki@zusammenkunft.net> wrote:
> > >> > The download page of apache commons reads like there is supposed
> > >> > to be a KEYS column in the table. But it is now a general link,
> > >> > so I would apply the following changes, if you agree:
> > >>
> > >> I think the reference to the KEYS file needs to come before the
> > >> hashes. We want to encourage sig checking as the primary way to
> > >> check downloads.
> > >>
> > >> But I agree that the text needs some TLC.
> > >
> > > Cool, how is this:
> > >
> > >       <p>
> > >         Please <a
> > > href="http://www.apache.org/info/verification.html">verify the
> > > integrity</a> of downloaded files against the public code signing
> > > <a href="http://www.apache.org/dist/commons/KEYS">KEYS</a> used
by
> > > the Apache Commons developers. </p>
> > >       <p>
> > >         The <code>pgp</code> link downloads the OpenPGP compatible
> > > signature from our main site. The <code>md5</code> link downloads
> > > the checksum from the main site. </p>
> > >
> >
> > Better, but the verification is not actually against the KEYS file.
> > How about:
> >
> >       <p>
> >         It is essential that you <a
> > href="http://www.apache.org/info/verification.html">verify the
> > integrity</a>
> >         of downloaded files, preferabley using the <code>PGP</code>
> > signature; failing that using the <code>MD5</code> hash.
> >       <p>
> >       </p>
> >         The <a href="http://www.apache.org/dist/commons/KEYS">KEYS</a>
> > file contains the public keys
> >         used by Apache Commons developers to sign releases.
> >         It is used in conjunction with the <code>PGP</code> signature
> > for the download
> >       </p>
> >       <p>
> >         The <code>PGP</code> link downloads the OpenPGP compatible
> > signature from our main site.
> >         The <code>MD5</code> link downloads the checksum from our
> > main site. </p>
> >
> >
> > I'm sure this could be improved further.
> >
> > The generated links should probably also upcased to PGP and MD5 so
> > they stand out better.
> >
> > > Gruss
> > > Bernd
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > > For additional commands, e-mail: dev-help@commons.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>


-- 
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message