forrest-svn mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: rev 23043 - forrest/trunk/src/documentation/content/xdocs
Date Mon, 19 Jul 2004 00:28:36 GMT
Author: brondsem
Date: Sun Jul 18 17:28:35 2004
New Revision: 23043

differentiate between PGP and MD5 verification; link to the SVN KEYS file (if a mirror gets
compromised, we can't trust the mirror's KEYS file

Modified: forrest/trunk/src/documentation/content/xdocs/mirrors.ihtml
--- forrest/trunk/src/documentation/content/xdocs/mirrors.ihtml	(original)
+++ forrest/trunk/src/documentation/content/xdocs/mirrors.ihtml	Sun Jul 18 17:28:35 2004
@@ -99,13 +99,15 @@
 <h1><a name="verify" />Verify releases</h1>
 <p>It is essential that you verify the integrity of the downloaded
-files using the PGP or MD5 signatures.</p>
+files using the PGP and MD5 signatures.  MD5 verification ensures the
+file was not corrupted during the download process.  PGP verification
+ensures that the file came from a certain person.</p>
 <p>The PGP signatures can be verified using
 <a href="">PGP</a> or
 <a href="">GPG</a>.
 First download the Forrest
-<a href="">KEYS</a>
+<a href="">KEYS</a>
 as well as the <code>asc</code> signature file for the particular
 distribution. It is important that you get these files from the ultimate
 trusted source - the main ASF distribution site, rather than from a mirror.
@@ -126,8 +128,8 @@
 % gpg --verify apache-forrest-0.5.1-src.tar.gz.asc
-<p>Alternatively, you can verify the MD5 signature on the files.  A
-unix program called <code>md5</code> or <code>md5sum</code> is
+<p>To verify the MD5 signature on the files, you need to use a program
+called <code>md5</code> or <code>md5sum</code>, which is
 included in many unix distributions.  It is also available as part of
 <a href="">GNU
 Textutils</a>.  Windows users can get binary md5 programs from <a
@@ -135,7 +137,7 @@
 href="">here</a>, or
 <a href="">here</a>.</p>
-<p>We strongly recommend to verify the signature.</p>
+<p>We strongly recommend you verify your downloads with both PGP and MD5.</p>

View raw message