Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
The download page currently links to https://dist.apache.org/
However that host is only intended as a staging area for use by developers.
Download pages must use the ASF mirror system for build artifacts, and must use https://www.apache.org/dist/... for KEYS, sigs and hashes.
The download page must provide public download links where current official
source releases and accompanying cryptographic files may be obtained. [2]
Links to the download artifacts must support downloads from mirrors, e.g. via links to
dyn/closer.
Links to metadata (SHA, ASC) must be to https://www.apache.org/dist/<project>/<release>/*
MD5 is no longer considered useful and should not be used. SHA is required.
Similarly, SHA-1 is no longer considered useful and should not be used.
SHA-512 (preferred) or SHA-256 are required for new releases. Older releases
need not be updated, may continue unchanged, and might use MD5 or SHA-1.
The KEYS link must be to https://www.apache.org/dist/<project>/KEYS
[1] http://www.apache.org/legal/release-policy.html#release-announcements
[2] https://www.apache.org/dev/release-distribution#download-links