directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Resolved: (DIR-223) Add some info on download to suggest users to verify the downloaded signature
Date Tue, 02 Sep 2008 11:25:44 GMT

     [ https://issues.apache.org/jira/browse/DIR-223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny resolved DIR-223.
-----------------------------------

    Resolution: Fixed

Some documentation has been added on each download page, on our web site.

> Add some info on download to suggest users to verify the downloaded signature
> -----------------------------------------------------------------------------
>
>                 Key: DIR-223
>                 URL: https://issues.apache.org/jira/browse/DIR-223
>             Project: Directory
>          Issue Type: Task
>            Reporter: Emmanuel Lecharny
>            Assignee: Alex Karasulu
>            Priority: Blocker
>
> As pointed out by Stefano :
> Not related to Google Analytics, but I cannot see anywhere a place where
> you suggest users to verify their downloads (and links to the PGP/MD5
> files) and maybe you can fix this while you're there.
> here is the text we use in Apache JAMES:
> --------------
> Use the links below to download the Apache JAMES Mail Server from one of
> our mirrors. You *must* verify the integrity of the downloaded files
> using signatures downloaded from our main distribution directory.
> ----------------------
> Then verify the integrity points to this paragraph:
> -------------------------
> Verify the integrity of the files
> It is essential that you verify the integrity of the downloaded files
> using the PGP or MD5 signatures. The PGP signatures can be verified
> using PGP or GPG. First download the KEYS as well as the asc signature
> file for the particular distribution. Make sure you get these files from
> the main distribution directory, rather than from a mirror. Then verify
> the signatures using % pgpk -a KEYS
> % pgpv james-version.tar.gz.asc
> or
> % pgp -ka KEYS
> % pgp james-version.tar.gz.asc
> or
> % gpg --import KEYS
> % gpg --verify james-version.tar.gz.asc
> -------------------------------
> Also make sure you provide the MD5 and PGP links to the official main
> ASF distribution site (www.apache.org/dist/).
> As far as I know ASF *requires* signing for releases and strongly
> suggest to "incentivate" users to verify downloads.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message