maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olaf Flebbe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MNG-6421) Please add a signature to apache downloads
Date Thu, 31 May 2018 21:32:00 GMT

    [ https://issues.apache.org/jira/browse/MNG-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497214#comment-16497214
] 

Olaf Flebbe commented on MNG-6421:
----------------------------------

Thanks for fixing the site! Now everything works as expected.

> Please add a signature to apache downloads
> ------------------------------------------
>
>                 Key: MNG-6421
>                 URL: https://issues.apache.org/jira/browse/MNG-6421
>             Project: Maven
>          Issue Type: Bug
>          Components: General
>            Reporter: Olaf Flebbe
>            Priority: Major
>
> While trying to fix maven download in the Apache Bigtop toolchain:
> There seems to be no way to verify the integrity of the Maven releases at apache and
their mirrors.
> Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged for larger
files from INFRA. The download links are either not secure or not on the same trustlevel as
https://www.apache.org
> I would recommend to have a https:// link to a gnupg file signature (asc) which can
be downloaded from   [www.apache.org/dist|http://www.apache.org/dist]  (Please see ant as
an example).
> Signatures should be provided for both source and binaries.
> Please correct me if there is a different way to either have an secure and trusted download
or a way to automatically verify.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message