You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@groovy.apache.org by "Paul King (Jira)" <ji...@apache.org> on 2020/04/01 13:12:00 UTC

[jira] [Comment Edited] (GROOVY-9458) Missing sigs and hashes on download page

    [ https://issues.apache.org/jira/browse/GROOVY-9458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072734#comment-17072734 ] 

Paul King edited comment on GROOVY-9458 at 4/1/20, 1:11 PM:
------------------------------------------------------------

Well, it wouldn't be those pages. They are about releases. There are no "packages" you refer to, just a link to a third-party site. Do you know which document prohibits links to third-party artifacts? It would be the owner of that document I would need to see or perhaps branding?

All I can find is which seems to allow it:
bq. The public may also obtain Apache software from any number of downstream channels (rpm, deb, homebrew, etc.) which redistribute our releases in either original or derived form. The vast majority of such downstream channels operate independently of Apache.

So, what I am looking for is a document which prohibits us from having a link to a downstream channel. I haven't find anything yet. Branding wise, my understanding is we should not be promoting third-party companies that might have their own distribution channel/distributions but in this case it is open source.


was (Author: paulk):
Well, it wouldn't be those pages. They are about releases. Do you know which document prohibits links to third-party artifacts? It would be the owner of that document I would need to see or perhaps branding?

> Missing sigs and hashes on download page
> ----------------------------------------
>
>                 Key: GROOVY-9458
>                 URL: https://issues.apache.org/jira/browse/GROOVY-9458
>             Project: Groovy
>          Issue Type: Bug
>            Reporter: Sebb
>            Priority: Major
>
> The public download page includes links to several Windows installer executables.
> These have neither signatures nor hashes.
> However as per [1] 
> "All supplied packages MUST be cryptographically signed by the Release Manager with a detached signature"
> And as per [2]
> "For every artifact distributed to the public through Apache channels, the PMC ... MUST supply at least one checksum file"
> Please either remove the links or provide the required sigs and hashes.
> Thanks.
> [1] http://www.apache.org/legal/release-policy.html#release-signing 
> [2] https://www.apache.org/dev/release-distribution#sigs-and-sums



--
This message was sent by Atlassian Jira
(v8.3.4#803005)