xmlgraphics-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47173] No links to file hashes or KEYS on download page
Date Wed, 11 Apr 2012 02:38:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47173

--- Comment #5 from Glenn Adams <gadams@apache.org> 2012-04-11 02:38:25 UTC ---
(In reply to comment #4)
> (In reply to comment #3)
> > my apologies, i posted the wrong link; if you follow link [2] in the link I did
> > post [1]:
> > 
> > [1] http://xmlgraphics.apache.org/commons/download.html
> > 
> > Source ("-src") and binary ("-bin") distributions can be downloaded from a
> > Apache XML Graphics Commons Distribution Mirror [2].
> > 
> > [2] http://www.apache.org/dyn/closer.cgi/xmlgraphics/commons
> > 
> > you will land at a page that (1) lists download mirrors and (2) contains a
> > section "Verify the integrity of the files"
> 
> OK
> 
> > if you pick a download mirror, say [3], then you will find binaries [4] and
> > source [5] directories containing signatures and hashes, and also a file
> > containing keys [6]
> 
> [3] is *not a mirror*

ok, it's the main distribution site

> An example mirror site is [3a]. The corresponding binaries [4a] and source [5a]
> pages don't include hashes.
> 
> There is a KEYS file at [6a] but [1] says to download KEYS from the ASF.
> 
> [3a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/
> [4a]
> http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/binaries
> [5a]
> http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/source
> [6a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/KEYS

we have no control over mirror site configuration

> > [3] http://www.apache.org/dist/xmlgraphics/commons
> > [4] http://www.apache.org/dist/xmlgraphics/commons/binaries/
> > [5] http://www.apache.org/dist/xmlgraphics/commons/source/
> > [6] http://www.apache.org/dist/xmlgraphics/commons/KEYS
> > 
> > there does not need to be any more information provided in [1] the reason is
> > clear: [1] doesn't actually make direct reference to any downloadable binary or
> > source images
> 
> Note that [1] says
> 
> "The PGP signatures can be verified using PGP or GPG. First download the KEYS
> as well as the asc signature file for the relevant distribution. Make sure you
> get these files from the main distribution site, rather than from a mirror."
> 
> This is not at all easy to do with the current download page.

sorry, it doesn't have to be easy; your original comment claimed "sigs and
hashes are a requirement for all apache projects"; i pointed you at the main
distribution site where sigs and hashes are provided; that satisfies you
claim... full stop

> Have a look at how other TLPs do it.

if you would like to propose a patch for the current download page [1], i'll
take a look at it; otherwise, i don't intend to take any other action;

i will leave this open for a week more in case you wish to post a patch; if not
received by then, this bug will be closed

thanks for you input

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: general-help@xmlgraphics.apache.org


Mime
View raw message