[MNG-6421] Please add a signature to apache downloads - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Cannot Reproduce
Affects Version/s: None
Fix Version/s: None
Component/s: General
Labels:
None

Description

While trying to fix maven download in the Apache Bigtop toolchain:

There seems to be no way to verify the integrity of the Maven releases at apache and their mirrors.

Download from www.apache.org/dist is discouraged for larger files from INFRA. The download links are either not secure or not on the same trustlevel as https://www.apache.org

I would recommend to have a https:// link to a gnupg file signature (asc) which can be downloaded from www.apache.org/dist (Please see ant as an example).

Signatures should be provided for both source and binaries.

Please correct me if there is a different way to either have an secure and trusted download or a way to automatically verify.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Olaf Flebbe

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 31/May/18 17:48

Updated:: 01/Jun/18 11:25

Resolved:: 01/Jun/18 11:25