Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Cannot Reproduce
-
None
-
None
-
None
Description
While trying to fix maven download in the Apache Bigtop toolchain:
There seems to be no way to verify the integrity of the Maven releases at apache and their mirrors.
Download from www.apache.org/dist is discouraged for larger files from INFRA. The download links are either not secure or not on the same trustlevel as https://www.apache.org
I would recommend to have a https:// link to a gnupg file signature (asc) which can be downloaded from www.apache.org/dist (Please see ant as an example).
Signatures should be provided for both source and binaries.
Please correct me if there is a different way to either have an secure and trusted download or a way to automatically verify.