You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by Erik Abele <er...@codefaktor.de> on 2002/12/17 00:03:05 UTC

Re: cvs commit: httpd-2.0/docs/manual install.xml install.xml.de install.html.en install.html.de

kess@apache.org wrote:
> kess        2002/12/16 12:56:17
> 
>   Modified:    docs/manual Tag: APACHE_2_0_BRANCH install.xml
>                         install.xml.de install.html.en install.html.de
>   Log:
>   - make sure, see also titles match with linked document titles
>   - remove notes about alpha and beta releases
>   - update download links to the mirror page
>   
...
>    <section id="download"><title>Download</title>
>    
>        <p>Apache can be downloaded from the <a
>   -    href="http://www.apache.org/dist/httpd/">Apache Software
>   -    Foundation download site</a> or from a <a
>   -    href="http://www.apache.org/dyn/closer.cgi/httpd/">nearby
>   -    mirror</a>.</p>

+1 on encouraging people to download from the mirrors, but IMO we 
shouldn't hide the main distribution directory too much. Especially for 
sensitive date, we should ensure that the people can get them directly; 
see comments below...

>   -
>   -    <p>Version numbers that end in <code>alpha</code> indicate
>   -    early pre-test versions which may or may not work. Version
>   -    numbers ending in <code>beta</code> indicate more reliable
>   -    releases that still require further testing or bug fixing. If
>   -    you wish to download the best available production release of
>   -    the Apache HTTP Server, you should choose the latest version
>   -    with neither <code>alpha</code> nor <code>beta</code> in its
>   -    filename.</p>
>   +    href="http://httpd.apache.org/download.cgi">Apache HTTP Server
>   +    download site</a> which lists several mirrors. You'll find here
>   +    the latest stable release.</p>
>    

+1 on removing the notes about alpha and beta releases, this really 
wasn't very helpful for the end-user.

>        <p>After downloading, especially if a mirror site is used, it
>        is important to verify that you have a complete and unmodified
>   @@ -164,10 +154,10 @@
>        testing the downloaded tarball against the PGP signature. This,
>        in turn, is a two step procedure. First, you must obtain the
>        <code>KEYS</code> file from the <a

Shouldn't we link the KEYS file directly to 
http://www.apache.org/dist/httpd/KEYS? This would ensure that a) the 
user gets a 'controlable' version of this sensitive data and b) we stay 
consistent with http://httpd.apache.org/download.cgi#verify.

 >   -    href="http://www.apache.org/dist/httpd/">Apache distribution
 >   -    site</a>. (To assure that the <code>KEYS</code> file itself has
>   -    not been modified, it may be a good idea to use a file from a
>   -    previous distribution of Apache or import the keys from a
>   +    href="http://httpd.apache.org/download.cgi">Apache HTTP
>   +    Server download site</a>, too. (To assure that the <code>KEYS</code>
>   +    file itself has not been modified, it may be a good idea to use a
>   +    file from a previous distribution of Apache or import the keys from a
>        public key server.) The keys are imported into your personal
>        key ring using one of the following commands (depending on your
>        pgp version):</p>
>   @@ -180,7 +170,7 @@

See above comment: we really should encourage people to use the KEYS 
file from the dist directory instead of fetching it from a mirror.

>    
>        <p>The next step is to test the tarball against the PGP
>        signature, which should always be obtained from the <a
>   -    href="http://www.apache.org/dist/httpd/">main Apache
>   +    href="http://httpd.apache.org/download.cgi">main Apache
>        website</a>. The signature file has a filename identical to the
>        source tarball with the addition of <code>.asc</code>. Then you
>        can check the distribution with one of the following commands
>   

Also the 'main Apache website' shouldn't link to download.cgi.

Just a quote from the linked download.cgi:

'The PGP signatures can be verified using PGP or GPG. First download the 
_KEYS_ as well as the asc signature file for the particular 
distribution. Make sure you get these files from the _main distribution 
directory_, rather than from a mirror.'

_x_ = link


cheers,
erik

Re: cvs commit: httpd-2.0/docs/manual install.xml install.xml.de install.html.en install.html.de

Posted by Astrid Kessler <ke...@kess-net.de>.

Well, I changed the link to the KEYS file and added a note where to find 
the signature files ...

> Uhh, you're right; i didn't realize the little [PGP][MD5] links behind
> the main downloads...*zwiiishhh*cleaning*my*squinty*eyes* :)

... because I also overlooked these links for a while :-)

 Kess

Re: cvs commit: httpd-2.0/docs/manual install.xml install.xml.de install.html.en install.html.de

Posted by Erik Abele <er...@codefaktor.de>.


Joshua Slive wrote:
> On Tue, 17 Dec 2002, Erik Abele wrote:
> 
>>+1 on encouraging people to download from the mirrors, but IMO we
>>shouldn't hide the main distribution directory too much. Especially for
>>sensitive date, we should ensure that the people can get them directly;
>>see comments below...
> 
> 
> The download.cgi links to the main distribution directory for people who
> want it, and forces people to get signatures from that directory.  It is
> the correct place to link whenever we talk about downloads, not simply for
> mirrors.
> 
> 

Uhh, you're right; i didn't realize the little [PGP][MD5] links behind 
the main downloads...*zwiiishhh*cleaning*my*squinty*eyes* :)

cheers,
erik

Re: cvs commit: httpd-2.0/docs/manual install.xml install.xml.de install.html.en install.html.de

Posted by Joshua Slive <jo...@slive.ca>.

On Tue, 17 Dec 2002, Erik Abele wrote:
> +1 on encouraging people to download from the mirrors, but IMO we
> shouldn't hide the main distribution directory too much. Especially for
> sensitive date, we should ensure that the people can get them directly;
> see comments below...

The download.cgi links to the main distribution directory for people who
want it, and forces people to get signatures from that directory.  It is
the correct place to link whenever we talk about downloads, not simply for
mirrors.

> +1 on removing the notes about alpha and beta releases, this really
> wasn't very helpful for the end-user.

+1.  It was put there back when we thought were going to be having more
frequent alpha and beta releases.

> Shouldn't we link the KEYS file directly to
> http://www.apache.org/dist/httpd/KEYS? This would ensure that a) the
> user gets a 'controlable' version of this sensitive data and b) we stay
> consistent with http://httpd.apache.org/download.cgi#verify.

+1.

Joshua.