You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@subversion.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2018/08/23 14:28:00 UTC
[jira] [Commented] (SVN-4736) Download page issues
[ https://issues.apache.org/jira/browse/SVN-4736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16590301#comment-16590301 ]
Sebb commented on SVN-4736:
---------------------------
The inline hashes have been removed, however the gpg command has not been updated
> Download page issues
> --------------------
>
> Key: SVN-4736
> URL: https://issues.apache.org/jira/browse/SVN-4736
> Project: Subversion
> Issue Type: Bug
> Environment: http://subversion.apache.org/download.cgi
> Reporter: Sebb
> Priority: Minor
>
> The download page has links to sigs and SHA-512 hashes. These use https, which is good.
> However the page also contains inline SHA1 hashes. These are not necessarily protected by https. There are SHA1 hashes in the distribution area; it would be best to link to those instead.
> The description for verifying hashes does not mention how to check an SHA-512 hash.
> The gpg command should read:
> gpg --verify subversion-1.10.0.tar.gz.asc subversion-1.10.0.tar.gz
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)