Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-6421

Please add a signature to apache downloads

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None

      Description

      While trying to fix maven download in the Apache Bigtop toolchain:

      There seems to be no way to verify the integrity of the Maven releases at apache and their mirrors.

      Download from www.apache.org/dist is discouraged for larger files from INFRA. The download links are either not secure or not on the same trustlevel as https://www.apache.org

      I would recommend to have a https:// link to a gnupg file signature (asc) which can be downloaded from   www.apache.org/dist  (Please see ant as an example).

      Signatures should be provided for both source and binaries.

      Please correct me if there is a different way to either have an secure and trusted download or a way to automatically verify.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              oflebbe Olaf Flebbe
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: