Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The download page currently links to https://dist.apache.org/ for the hashes and sigs.
However that host is only intended as a staging area for use by developers.
Please can you change the links to use the ASF webserver instead?
i.e.. change
https://dist.apache.org/repos/dist/release/...
to
https://www.apache.org/dist/...
wherever it appears.
Also the download page should use https (SSL) to link to the KEYS file:
https://www.apache.org/dist/.../KEYS
Also the following command:
$ gpg --verify apache-senssoft-useralejs-1.0.0-src.zip.asc
should read
$ gpg --verify apache-senssoft-useralejs-1.0.0-src.zip.asc apache-senssoft-useralejs-1.0.0-src.zip
i.e. both the detached sig and the artifact itself should be specified.
See: https://www.apache.org/info/verification.html#CheckingSignatures
Thanks