You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@subversion.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2018/08/23 14:28:00 UTC

[jira] [Commented] (SVN-4736) Download page issues

    [ https://issues.apache.org/jira/browse/SVN-4736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16590301#comment-16590301 ] 

Sebb commented on SVN-4736:
---------------------------

The inline hashes have been removed, however the gpg command has not been updated

> Download page issues
> --------------------
>
>                 Key: SVN-4736
>                 URL: https://issues.apache.org/jira/browse/SVN-4736
>             Project: Subversion
>          Issue Type: Bug
>         Environment: http://subversion.apache.org/download.cgi
>            Reporter: Sebb
>            Priority: Minor
>
> The download page has links to sigs and SHA-512 hashes. These use https, which is good.
> However the page also contains inline SHA1 hashes. These are not necessarily protected by https. There are SHA1 hashes in the distribution area; it would be best to link to those instead.
> The description for verifying hashes does not mention how to check an SHA-512 hash.
> The gpg command should read:
> gpg --verify subversion-1.10.0.tar.gz.asc  subversion-1.10.0.tar.gz
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)