From commits-return-49209-archive-asf-public=cust-asf.ponee.io@subversion.apache.org Sat Aug 25 23:18:52 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id A2607180654 for ; Sat, 25 Aug 2018 23:18:51 +0200 (CEST) Received: (qmail 47147 invoked by uid 500); 25 Aug 2018 21:18:50 -0000 Mailing-List: contact commits-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@subversion.apache.org Delivered-To: mailing list commits@subversion.apache.org Received: (qmail 47050 invoked by uid 99); 25 Aug 2018 21:18:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 25 Aug 2018 21:18:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id A6390C06D5 for ; Sat, 25 Aug 2018 21:18:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.412 X-Spam-Level: X-Spam-Status: No, score=-2.412 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id DAyLKMLMBOTG for ; Sat, 25 Aug 2018 21:18:47 +0000 (UTC) Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 2D1395F358 for ; Sat, 25 Aug 2018 21:18:47 +0000 (UTC) Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 9E2462108F for ; Sat, 25 Aug 2018 23:18:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1535231926; bh=d3hHz2TO3gDJXaiua/RuWEQND8RjccGKphL+laDvyDI=; h=Subject:To:Cc:From:Date:From; b=Q+CiiV4c7MPiuwO+iFijB+RMweDvlH426HPhI9Jq+z6/iRjMvQmST+uiOWsHvgsR2 RNILSa3KycLno295tzkQXG278DDDzNyBEf4jM9vpRSwgUKqdbIjxwB07D/awqKD7tE tjdHXajXV+lx1moxlqQ4qc7sOsVGRBfvAT+quwUEBDwx4KjgRnJXU1az2/Xv5aih3w R+G2stuKtHl6R2k244L5LGF9Rr4yqJHrs9mTZ5FkSTrd4r0JFTiT+wLGsDuN6ahpVP cOzRG03i2ERPIX+7XXb4v7sUTJIeb19cyDhVwpkNbaFUCRc0JYQrPT4Utwp4rh+Hez QdT2Dr5KgWgHQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 41yWGs61zfz9rxF; Sat, 25 Aug 2018 23:18:45 +0200 (CEST) Subject: Re: svn commit: r1838746 - /subversion/site/staging/download.html To: dev@subversion.apache.org Cc: commits@subversion.apache.org, sebb@apache.org References: <20180823180131.C74633A0102@svn01-us-west.apache.org> <7f4068b2-9c42-ca00-dc8d-4c15692746ea@posteo.de> From: Stefan Message-ID: Date: Sat, 25 Aug 2018 23:18:48 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020504040003050705040409" This is a cryptographically signed message in MIME format. --------------ms020504040003050705040409 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US On 25/08/2018 18:06, sebb AT ASF wrote: > On 25 August 2018 at 13:44, Stefan wrote: >> On 25/08/2018 14:37, Stefan wrote: >>> On 23/08/2018 20:01, sebb@apache.org wrote: >>>> Author: sebb >>>> Date: Thu Aug 23 18:01:30 2018 >>>> New Revision: 1838746 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=3D1838746&view=3Drev >>>> Log: >>>> SVN-4736 - fix gpg command >>>> >>>> Modified: >>>> subversion/site/staging/download.html >>>> >>>> Modified: subversion/site/staging/download.html >>>> URL: http://svn.apache.org/viewvc/subversion/site/staging/download.h= tml?rev=3D1838746&r1=3D1838745&r2=3D1838746&view=3Ddiff >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D >>>> --- subversion/site/staging/download.html (original) >>>> +++ subversion/site/staging/download.html Thu Aug 23 18:01:30 2018 >>>> @@ -253,7 +253,7 @@ Other mirrors: >>>> or
>>>> >>>> % gpg --import subversion.asc
>>>> -% gpg --verify subversion-[version].tar.gz.asc >>>> +% gpg --verify subversion-[version].tar.gz.asc subversion-[version]= =2Etar.gz >>> Testing GPG locally (2.2.8 - Windows 10 - bundled version with Gpg4Wi= n >>> 3.1.2) running the command w/o specifying the filename of the gz arch= ive >>> works fine: >>> "gpg: assuming signed data in 'subversion-1.10.2.tar.bz2' [...]" >>> >>> Is this command problematic with older GPG versions? If not, why not >>> keep the command as short as possible and rely on the default resolut= ion >>> of the archive name? >> Just saw the referenced SVN issue with the link which gives the missin= g >> rational for that change. Thanks for that (should have spotted it befo= re >> replying). For the record: > Would it be useful to link to the explanation from the download page? I would not think so. The target audience of that article is primarily the user who's downloading the package. We'd provide him with proper details about how to verify the download, but anything which explains the rational behind how the tech side of the verification works and why the command should be written the way it's presented in the example would be out of scope for that page, IMO. The rational why something was done the way it was should be in the log (and there it's already present via the Jira issue link). > >> "If the release file is omitted, GPG will only check the signature >> against the release file if the signature is a detached signature. If >> the .asc file is a self-contained signed file, GPG will only check tha= t, >> and will not verify the release. (This should not happen if the >> signature file was downloaded from an ASF server, but it is safer to >> always specify the release filename)" [1] >> >> That said, +1 on that change. Feel free to merge it to publish. >> >> [1] https://www.apache.org/info/verification.html#CheckingSignatures >>>>

>>>> >>>>

Alternatively, you can verify the checksums on the >>>> >> Regards, >> Stefan >> Regards, Stefan --------------ms020504040003050705040409 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DZUwggY0MIIEHKADAgECAgMCoF8wDQYJKoZIhvcNAQENBQAwVDEUMBIGA1UEChMLQ0FjZXJ0 IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0 IENsYXNzIDMgUm9vdDAeFw0xNjExMjIwMTAxMDdaFw0xODExMjIwMTAxMDdaMIHGMRQwEgYD VQQDEwtTdGVmYW4gSGV0dDEhMB8GCSqGSIb3DQEJARYSbHVrZTE0MTBAcG9zdGVvLmRlMSQw IgYJKoZIhvcNAQkBFhVzdGVmYW4uaGV0dEBwb3N0ZW8uZGUxIjAgBgkqhkiG9w0BCQEWE2x1 a2UxNDEwQGFwYWNoZS5vcmcxHjAcBgkqhkiG9w0BCQEWD2x1a2UxNDEwQGdteC5kZTEhMB8G CSqGSIb3DQEJARYSc3RlZmFuLmhldHRAZ214LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA0AmXHMqQ6uBpPpYdH5Fm1VKM1s8MUWy1OYSAZ+JnuBXfD1Yicmh4qrz96+Ra Nod/YJN5aJbQRUb0l/zS/YGhSCpTJWu91fUqU7/2juwmwSUzd83x9VbfjunxGyRvDpIva5CE wUV5PSUT4zY0IssYlYk0CBS0s+3wSTyqxaed1B0mifYbohxpXNtjZWSiWqiLbiXn9xZSWRG5 W3sR5JLN0oU5d/fC+Ldg6LgPgtp2Z2iZfzdQ6MFM6jKFEbH5GvYywm6mJ7DgI+X+X2cCUW9a iMTMz4hQxpUx041syOVmz2YPyzsli1cf2a5FDagwTsENplSRcy6QyH6Hg7xBe+RcAQIDAQAB o4IBmjCCAZYwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3du IGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5v cmcwDgYDVR0PAQH/BAQDAgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYB BAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF BQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8v Y3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9rZS5jcmwwbgYDVR0RBGcwZYESbHVrZTE0MTBA cG9zdGVvLmRlgRVzdGVmYW4uaGV0dEBwb3N0ZW8uZGWBE2x1a2UxNDEwQGFwYWNoZS5vcmeB D2x1a2UxNDEwQGdteC5kZYESc3RlZmFuLmhldHRAZ214LmRlMA0GCSqGSIb3DQEBDQUAA4IC AQBmyjbGw3rUtIzAXOM1DxO5oTNdzd17CHhU0dtT8AUoCR2y0yQVv95/tOSj0Hu3l5GQfDjK Norpw+efq8UzYYx07zUv0j3IU4NKuYxiQBGvIl9TJSJQ+rUgUBBUbGWqmxKduAHyRvwoJO9Z a3qqndEmetNfi0EsSrANtsJmgSP0noGbedHT44v+1Y3tsgKhdD18uLgDLMWbBy3kZiKxvzQ0 b2NsWS1frTbxPMZSPoLWooCuuvqnqMlUkG0CQ5+VGSe17JOHSVClIB/dj1YLabAbOMbjbUM7 KqMNatRbOGquX+4oqlDkRBym/RTPsc9/9E9t6/OfikUQkYwdRm8+1d3INIr+uA7ZzoBo/b+i jDC1iZlkMkKqcieHXYvCCc9Mym4gtp7Xe48SRGgbhUbx66d/RYobPuxEojpmMlBCiP0C/VM8 atNcA2pATnxJj1yE1C+LRItggHlp7O/BOeYbJXnUcY7Di6t2u/eslvhrX6hJEi2yONo+N89o dZNNZLuZB8+3MjJS8LaBXSC9sggisdGZgBdjNgm7vek3guufjpVLsNQRxRWD1mYjyOKfVMlS TDitDHMZsV6kPAf9HRd2ZafB6pYCabcCemwwk/IqJ/zkwzpk8rDkqZ3uRc2eP1Mkz2rb7F83 FF4EhIIcJxfMX4EDqWwih+Dhc34n4ed65yn1DDCCB1kwggVBoAMCAQICAwpBijANBgkqhkiG 9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0B CQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMTA1MjMxNzQ4MDJaFw0yMTA1MjAxNzQ4MDJa MFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol94fvrcpANdKGWZKuf oCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkBY8MPVuJKQs/iRIwlKKjFeQl9 RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J0b2qW42S0OzekMV/CsLj6+YxWl50Ppcz WejDAz1gM7/30W9HxM3uYoNSbi4ImqTZFRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq 1TuSfkyQBX6TwSyLpI5idBVxbgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqK T1inA62+tC4T7V2qSNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit 89Jbi6Bb6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5geoAmSAC4 AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyGkZlxmqZ3izRg0RS0 LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX76QIDAQABo4ICDTCCAgkwHQYD VR0OBBYEFHWocWBMiBPweNmJd7VtxYnfvLF6MIGjBgNVHSMEgZswgZiAFBa1MhvUx/Pg5o7z vdKwOu6yORjRoX2kezB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3 LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkq hkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZ4IBADAPBgNVHRMBAf8EBTADAQH/MF0GCCsG AQUFBwEBBFEwTzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wKAYIKwYB BQUHMAKGHGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYDVR0gBEMwQTA/BggrBgEE AYGQSjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lk PTEwMDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lk PTEwMFAGCWCGSAGG+EIBDQRDFkFUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZS RUUsIGdvIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAKSiF rkSpua+keRPwqKMrl2DzXO7jL8H24magEa42Nzp2FQRT6kL1+erAFdimgtnkYa5yCylckEPo QbLhd9sCE0R4R1WvWPzMmPZFudEg+NghB/5tqnPUs8YH6QmFzDvytr4sHCXVcYw5tS7qvhiB urCTuA/j5tcmjDFacgOEUuam9TMiRQrICw2KuDZvkAmhq73X1U4ucaLUrvqnVCvrNY1at1SI L+50n+1IFsoNSNCU06ykovYk35LjvetDQJFuHBiOVrSCEvOpk5/UvJytnHXuWpcbled0LRwP sCyXn/upMzl65wM6ko4i9owN5Nl+DXYY9wH575aWolVzwDxxtB0aVkO3wwqNcvziEAkLQc6M lKD5A/1xc0uKVzPljnR+FQEA5sxKHOd/lRktxaUMi7u17YWzXNPfuLnyyscNARSscFjFjI0z 1J1moxpQlSP8SOAGQxLZzaeGOS82cqOAEOTh89HLWxrA5ICafBNzBk/bo2skCrqzHLxKeLvl 43U4pUinoh6vdtRe9ziGVlqJztbDp3myUqDG8YW0JYzyP5azENmNbFc7n2+GOhiCIjbIsJE4 2yqhk6qEP/UnZa5z1cjV03fqS53HQbvHwOOgP+R9pI1z5hJL36Fzc3M6gOjVy44vy+oTp9ZB i6z6PInXJPVOtOBhkrfzN5jEvpajt4oxggM7MIIDNwIBATBbMFQxFDASBgNVBAoTC0NBY2Vy dCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2Vy dCBDbGFzcyAzIFJvb3QCAwKgXzANBglghkgBZQMEAgEFAKCCAbEwGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwODI1MjExODQ4WjAvBgkqhkiG9w0BCQQx IgQg+ThblgAsCQDMFgJQl97auw3kZZZkuUSe763dygcYnowwagYJKwYBBAGCNxAEMV0wWzBU MRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3Jn MRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290AgMCoF8wbAYJKoZIhvcNAQkPMV8wXTAL BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDBsBgsqhkiG9w0BCRACCzFd oFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDAqBfMA0GCSqGSIb3DQEBAQUA BIIBAEkYNOx+kYG3y4DzKcpM5zH8QdPkQRcINmZoTEkP7ZeK9qEWx29uHlOr5JSdyVuTH3Tp B+n8aqOpyvBIoPmeNJNQosoDniuTlQfg/HpQckoDwtGnTI8leZss8E2HPFNyvMwil/n8f/Je xq8pAma71Ch/h7elHoBBC8K8SiLAGrPFproAw/foFJ3mv+hVXwAhVJ2TLxE8xT7OgVgoRxge Qe8xP8e3xwvJqGRI3mTNlHUQuv4U2OgYjgXmXIwDU6/aCmvmIFtBLhZRRauUKNfnK1pQWlNv mH/2iK3jvfJSVVDYML4h8w4PHgXOlIEbO56WS3IdX7skgS6LOAqvBmcZn04AAAAAAAA= --------------ms020504040003050705040409--