You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <di...@incubator.apache.org> on 2007/09/12 18:52:32 UTC

[jira] Created: (DIR-223) Add some info on download to suggest users to verify the downloaded signature

Add some info on download to suggest users to verify the downloaded signature
-----------------------------------------------------------------------------

                 Key: DIR-223
                 URL: https://issues.apache.org/jira/browse/DIR-223
             Project: Directory
          Issue Type: Task
            Reporter: Emmanuel Lecharny
            Assignee: Alex Karasulu
            Priority: Blocker


As pointed out by Stefano :
Not related to Google Analytics, but I cannot see anywhere a place where
you suggest users to verify their downloads (and links to the PGP/MD5
files) and maybe you can fix this while you're there.

here is the text we use in Apache JAMES:
--------------
Use the links below to download the Apache JAMES Mail Server from one of
our mirrors. You *must* verify the integrity of the downloaded files
using signatures downloaded from our main distribution directory.
----------------------
Then verify the integrity points to this paragraph:
-------------------------
Verify the integrity of the files
It is essential that you verify the integrity of the downloaded files
using the PGP or MD5 signatures. The PGP signatures can be verified
using PGP or GPG. First download the KEYS as well as the asc signature
file for the particular distribution. Make sure you get these files from
the main distribution directory, rather than from a mirror. Then verify
the signatures using % pgpk -a KEYS
% pgpv james-version.tar.gz.asc
or
% pgp -ka KEYS
% pgp james-version.tar.gz.asc
or
% gpg --import KEYS
% gpg --verify james-version.tar.gz.asc
-------------------------------

Also make sure you provide the MD5 and PGP links to the official main
ASF distribution site (www.apache.org/dist/).

As far as I know ASF *requires* signing for releases and strongly
suggest to "incentivate" users to verify downloads.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (DIR-223) Add some info on download to suggest users to verify the downloaded signature

Posted by "Emmanuel Lecharny (JIRA)" <di...@incubator.apache.org>.

     [ https://issues.apache.org/jira/browse/DIR-223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny resolved DIR-223.
-----------------------------------

    Resolution: Fixed

Some documentation has been added on each download page, on our web site.

> Add some info on download to suggest users to verify the downloaded signature
> -----------------------------------------------------------------------------
>
>                 Key: DIR-223
>                 URL: https://issues.apache.org/jira/browse/DIR-223
>             Project: Directory
>          Issue Type: Task
>            Reporter: Emmanuel Lecharny
>            Assignee: Alex Karasulu
>            Priority: Blocker
>
> As pointed out by Stefano :
> Not related to Google Analytics, but I cannot see anywhere a place where
> you suggest users to verify their downloads (and links to the PGP/MD5
> files) and maybe you can fix this while you're there.
> here is the text we use in Apache JAMES:
> --------------
> Use the links below to download the Apache JAMES Mail Server from one of
> our mirrors. You *must* verify the integrity of the downloaded files
> using signatures downloaded from our main distribution directory.
> ----------------------
> Then verify the integrity points to this paragraph:
> -------------------------
> Verify the integrity of the files
> It is essential that you verify the integrity of the downloaded files
> using the PGP or MD5 signatures. The PGP signatures can be verified
> using PGP or GPG. First download the KEYS as well as the asc signature
> file for the particular distribution. Make sure you get these files from
> the main distribution directory, rather than from a mirror. Then verify
> the signatures using % pgpk -a KEYS
> % pgpv james-version.tar.gz.asc
> or
> % pgp -ka KEYS
> % pgp james-version.tar.gz.asc
> or
> % gpg --import KEYS
> % gpg --verify james-version.tar.gz.asc
> -------------------------------
> Also make sure you provide the MD5 and PGP links to the official main
> ASF distribution site (www.apache.org/dist/).
> As far as I know ASF *requires* signing for releases and strongly
> suggest to "incentivate" users to verify downloads.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (DIR-223) Add some info on download to suggest users to verify the downloaded signature

Posted by "Emmanuel Lecharny (JIRA)" <di...@incubator.apache.org>.

     [ https://issues.apache.org/jira/browse/DIR-223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny closed DIR-223.
---------------------------------


> Add some info on download to suggest users to verify the downloaded signature
> -----------------------------------------------------------------------------
>
>                 Key: DIR-223
>                 URL: https://issues.apache.org/jira/browse/DIR-223
>             Project: Directory
>          Issue Type: Task
>            Reporter: Emmanuel Lecharny
>            Assignee: Alex Karasulu
>            Priority: Blocker
>
> As pointed out by Stefano :
> Not related to Google Analytics, but I cannot see anywhere a place where
> you suggest users to verify their downloads (and links to the PGP/MD5
> files) and maybe you can fix this while you're there.
> here is the text we use in Apache JAMES:
> --------------
> Use the links below to download the Apache JAMES Mail Server from one of
> our mirrors. You *must* verify the integrity of the downloaded files
> using signatures downloaded from our main distribution directory.
> ----------------------
> Then verify the integrity points to this paragraph:
> -------------------------
> Verify the integrity of the files
> It is essential that you verify the integrity of the downloaded files
> using the PGP or MD5 signatures. The PGP signatures can be verified
> using PGP or GPG. First download the KEYS as well as the asc signature
> file for the particular distribution. Make sure you get these files from
> the main distribution directory, rather than from a mirror. Then verify
> the signatures using % pgpk -a KEYS
> % pgpv james-version.tar.gz.asc
> or
> % pgp -ka KEYS
> % pgp james-version.tar.gz.asc
> or
> % gpg --import KEYS
> % gpg --verify james-version.tar.gz.asc
> -------------------------------
> Also make sure you provide the MD5 and PGP links to the official main
> ASF distribution site (www.apache.org/dist/).
> As far as I know ASF *requires* signing for releases and strongly
> suggest to "incentivate" users to verify downloads.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.