httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Abele <e...@codefaktor.de>
Subject Re: cvs commit: httpd-2.0/docs/manual install.xml install.xml.de install.html.en install.html.de
Date Mon, 16 Dec 2002 23:03:05 GMT
kess@apache.org wrote:
> kess        2002/12/16 12:56:17
> 
>   Modified:    docs/manual Tag: APACHE_2_0_BRANCH install.xml
>                         install.xml.de install.html.en install.html.de
>   Log:
>   - make sure, see also titles match with linked document titles
>   - remove notes about alpha and beta releases
>   - update download links to the mirror page
>   
...
>    <section id="download"><title>Download</title>
>    
>        <p>Apache can be downloaded from the <a
>   -    href="http://www.apache.org/dist/httpd/">Apache Software
>   -    Foundation download site</a> or from a <a
>   -    href="http://www.apache.org/dyn/closer.cgi/httpd/">nearby
>   -    mirror</a>.</p>

+1 on encouraging people to download from the mirrors, but IMO we 
shouldn't hide the main distribution directory too much. Especially for 
sensitive date, we should ensure that the people can get them directly; 
see comments below...

>   -
>   -    <p>Version numbers that end in <code>alpha</code> indicate
>   -    early pre-test versions which may or may not work. Version
>   -    numbers ending in <code>beta</code> indicate more reliable
>   -    releases that still require further testing or bug fixing. If
>   -    you wish to download the best available production release of
>   -    the Apache HTTP Server, you should choose the latest version
>   -    with neither <code>alpha</code> nor <code>beta</code>
in its
>   -    filename.</p>
>   +    href="http://httpd.apache.org/download.cgi">Apache HTTP Server
>   +    download site</a> which lists several mirrors. You'll find here
>   +    the latest stable release.</p>
>    

+1 on removing the notes about alpha and beta releases, this really 
wasn't very helpful for the end-user.

>        <p>After downloading, especially if a mirror site is used, it
>        is important to verify that you have a complete and unmodified
>   @@ -164,10 +154,10 @@
>        testing the downloaded tarball against the PGP signature. This,
>        in turn, is a two step procedure. First, you must obtain the
>        <code>KEYS</code> file from the <a

Shouldn't we link the KEYS file directly to 
http://www.apache.org/dist/httpd/KEYS? This would ensure that a) the 
user gets a 'controlable' version of this sensitive data and b) we stay 
consistent with http://httpd.apache.org/download.cgi#verify.

 >   -    href="http://www.apache.org/dist/httpd/">Apache distribution
 >   -    site</a>. (To assure that the <code>KEYS</code> file itself
has
>   -    not been modified, it may be a good idea to use a file from a
>   -    previous distribution of Apache or import the keys from a
>   +    href="http://httpd.apache.org/download.cgi">Apache HTTP
>   +    Server download site</a>, too. (To assure that the <code>KEYS</code>
>   +    file itself has not been modified, it may be a good idea to use a
>   +    file from a previous distribution of Apache or import the keys from a
>        public key server.) The keys are imported into your personal
>        key ring using one of the following commands (depending on your
>        pgp version):</p>
>   @@ -180,7 +170,7 @@

See above comment: we really should encourage people to use the KEYS 
file from the dist directory instead of fetching it from a mirror.

>    
>        <p>The next step is to test the tarball against the PGP
>        signature, which should always be obtained from the <a
>   -    href="http://www.apache.org/dist/httpd/">main Apache
>   +    href="http://httpd.apache.org/download.cgi">main Apache
>        website</a>. The signature file has a filename identical to the
>        source tarball with the addition of <code>.asc</code>. Then you
>        can check the distribution with one of the following commands
>   

Also the 'main Apache website' shouldn't link to download.cgi.

Just a quote from the linked download.cgi:

'The PGP signatures can be verified using PGP or GPG. First download the 
_KEYS_ as well as the asc signature file for the particular 
distribution. Make sure you get these files from the _main distribution 
directory_, rather than from a mirror.'

_x_ = link


cheers,
erik


Mime
View raw message