You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2018/07/31 08:34:00 UTC

[jira] [Reopened] (KNOX-1405) Download page must link to KEYS and contain verification details

     [ https://issues.apache.org/jira/browse/KNOX-1405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebb reopened KNOX-1405:
------------------------

There is a second reference to the KEYS file in the instructions which should be a link:

"First download the KEYS file"

Regarding the gpg verify command, it works, but it is bad practice as it is not secure:
See: https://www.apache.org/info/verification.html#CheckingSignatures

> Download page must link to KEYS and contain verification details
> ----------------------------------------------------------------
>
>                 Key: KNOX-1405
>                 URL: https://issues.apache.org/jira/browse/KNOX-1405
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Release
>            Reporter: Sebb
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 1.1.0
>
>
> The download page
> https://cwiki.apache.org/confluence/display/KNOX/Release+1.1.0
> does not appear to contain a link to the KEYS file.
> The text "Verifying Apache HTTP Server Releases" should be a link.
> The gpg command should be:
> % gpg --verify knox-1.1.0.zip.asc knox-1.1.0.zip
> i.e. both sig and artifact need to be supplied



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)