You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by Nick Dimiduk <nd...@gmail.com> on 2015/11/14 00:16:02 UTC
Signature and checksum files in releases?
I'm looking through our past releases on a couple mirrors -- none of them
include checksum or gpg signature files. How have we gotten away with this?
Do we post these files somewhere else?
Thanks,
Nick
Re: Signature and checksum files in releases?
Posted by Nick Dimiduk <nd...@gmail.com>.
Huh. I guess that makes sense. Sorry for the noise.
On Sun, Nov 15, 2015 at 1:26 AM, Gabriel Reid <ga...@gmail.com>
wrote:
> Hi Nick,
>
> I was totally unaware of this, but apparently the signature files are
> only made available via the main distribution site(s), and
> intentionally not pushed to the mirrors (this is implied at the bottom
> of the generic ASF download page[1]). I've verified this on a few
> other projects as well. I suppose it makes more sense like this -- the
> artifacts are pushed everywhere, but the signature and checksum files
> are only served via a limited set of (possibly more secure) servers.
>
> In any case, the checksum files do appear to be present via the main EU
> site[2].
>
> - Gabriel
>
> 1. http://www.apache.org/dyn/closer.lua/phoenix/
> 2. http://www.eu.apache.org/dist/phoenix/phoenix-4.6.0-HBase-0.98/src/
>
> On Sat, Nov 14, 2015 at 12:16 AM, Nick Dimiduk <nd...@gmail.com> wrote:
> > I'm looking through our past releases on a couple mirrors -- none of them
> > include checksum or gpg signature files. How have we gotten away with
> this?
> > Do we post these files somewhere else?
> >
> > Thanks,
> > Nick
>
Re: Signature and checksum files in releases?
Posted by Gabriel Reid <ga...@gmail.com>.
Hi Nick,
I was totally unaware of this, but apparently the signature files are
only made available via the main distribution site(s), and
intentionally not pushed to the mirrors (this is implied at the bottom
of the generic ASF download page[1]). I've verified this on a few
other projects as well. I suppose it makes more sense like this -- the
artifacts are pushed everywhere, but the signature and checksum files
are only served via a limited set of (possibly more secure) servers.
In any case, the checksum files do appear to be present via the main EU site[2].
- Gabriel
1. http://www.apache.org/dyn/closer.lua/phoenix/
2. http://www.eu.apache.org/dist/phoenix/phoenix-4.6.0-HBase-0.98/src/
On Sat, Nov 14, 2015 at 12:16 AM, Nick Dimiduk <nd...@gmail.com> wrote:
> I'm looking through our past releases on a couple mirrors -- none of them
> include checksum or gpg signature files. How have we gotten away with this?
> Do we post these files somewhere else?
>
> Thanks,
> Nick