directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Created: (DIR-223) Add some info on download to suggest users to verify the downloaded signature
Date Wed, 12 Sep 2007 16:52:32 GMT
Add some info on download to suggest users to verify the downloaded signature
-----------------------------------------------------------------------------

                 Key: DIR-223
                 URL: https://issues.apache.org/jira/browse/DIR-223
             Project: Directory
          Issue Type: Task
            Reporter: Emmanuel Lecharny
            Assignee: Alex Karasulu
            Priority: Blocker


As pointed out by Stefano :
Not related to Google Analytics, but I cannot see anywhere a place where
you suggest users to verify their downloads (and links to the PGP/MD5
files) and maybe you can fix this while you're there.

here is the text we use in Apache JAMES:
--------------
Use the links below to download the Apache JAMES Mail Server from one of
our mirrors. You *must* verify the integrity of the downloaded files
using signatures downloaded from our main distribution directory.
----------------------
Then verify the integrity points to this paragraph:
-------------------------
Verify the integrity of the files
It is essential that you verify the integrity of the downloaded files
using the PGP or MD5 signatures. The PGP signatures can be verified
using PGP or GPG. First download the KEYS as well as the asc signature
file for the particular distribution. Make sure you get these files from
the main distribution directory, rather than from a mirror. Then verify
the signatures using % pgpk -a KEYS
% pgpv james-version.tar.gz.asc
or
% pgp -ka KEYS
% pgp james-version.tar.gz.asc
or
% gpg --import KEYS
% gpg --verify james-version.tar.gz.asc
-------------------------------

Also make sure you provide the MD5 and PGP links to the official main
ASF distribution site (www.apache.org/dist/).

As far as I know ASF *requires* signing for releases and strongly
suggest to "incentivate" users to verify downloads.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message