svn commit: r29127 - in /release/lucene: java/README.html pylucene/README.html solr/README.html

[ja...@apache.org]

Author: janhoy
Date: Tue Sep  4 12:37:41 2018
New Revision: 29127

Log:
Update dist site READMEs with more details about signing etc

Modified:
    release/lucene/java/README.html
    release/lucene/pylucene/README.html
    release/lucene/solr/README.html

Modified: release/lucene/java/README.html
==============================================================================
--- release/lucene/java/README.html (original)
+++ release/lucene/java/README.html Tue Sep  4 12:37:41 2018
@@ -1,43 +1,65 @@
-<h1>Lucene Java Downloads</h1>
+<img src="http://lucene.apache.org/images/lucene_logo_green_300.png" height="75" align="right">
+<h1>Apache Lucene Java Downloads</h1>
 
 <ul>
- <li><a href="#targz">Note About tar.gz Files</a></li>
+ <li><a href="#mirror">Use a mirror</a></li>
  <li><a href="#changes">Changes</a></li>
  <li><a href="#sig">Signatures</a></li>
  <li><a href="#archive">Older Versions</a></li>
 </ul>
 
-<a name="targz"><h2>Note About tar.gz Files</h2></a>
-<p>
-The tar files in the distribution use GNU tar extensions
-and must be untarred with a GNU compatible version of tar. The version
-of tar on Solaris and Mac OS X will not work with these files</p>
-</p>
+<a name="mirror"><h2>Use a mirror</h2></a>
+<p>Please make sure you're downloading from <a
+href="http://www.apache.org/dyn/closer.lua/lucene/java/">a nearby
+mirror site</a>, not directly from www.apache.org.</p>
+
 <a name="changes"><h2>Changes</h2></a>
 
 <p>The changes in this release are detailed in the release notes.</p>
 
-<p>Thank you for using <a href="http://lucene.apache.org/java/">Lucene</a>.</p>
+<p>Thank you for using <a href="http://lucene.apache.org/java/">Apache Lucene</a>.</p>
 
-<a name="sig"><h2>Signatures</h2></a>
+<a name="sig"><h2>Signatures and hashes</h2></a>
 
-<p>Many of the files have been digitally signed using GnuPG.  If so,
-there will be an accompanying <samp><em>file</em>.asc</samp> signature
-file in the same directory as the file (binaries/ or source/).  The
-signing keys can be found in the distribution directory at &lt;<a
-HREF="http://www.apache.org/dist/lucene/java/KEYS"><samp>http://www.apache.org/dist/lucene/java/KEYS</samp></a>&gt;.</p>
+<p>All official source and binary releases are digitally signed using GnuPG.
+    You are encouraged to verify that your download is the official one by verifying
+    the digital signature. To do this you need, in addition to the downloaded file:
+</p>
+
+<ul>
+    <li>the pgp or gpg software</li>
+    <li>the official <samp><em>KEYS</em></samp> file for the project</li>
+    <li>the <samp><em>file</em>.asc</samp> file corresponding to your download</li>
+</ul>
 
-<p><b>Always download the KEYS file directly from the Apache site, never from a mirror site.</b></p>
+<p><b>Always download the <em>KEYS</em> and <em>.asc</em> files directly from the Apache site at
+    &lt;<a href="https://www.apache.org/dist/lucene/java/"><samp>https://www.apache.org/dist/lucene/java/</samp></a>&gt;,
+    and always over HTTPS. Never trust KEYS from a mirror site. <a href="https://www.apache.org/info/verification.html">Read more</a></b></p>
 
 <pre>Always test available signatures, <i>e.g.</i>,
 $ pgpk -a KEYS
-$ pgpk lucene-1.4.tar.gz.asc
+$ pgpk lucene-x.y.z.tar.gz.asc
 or,
 $ pgp -ka KEYS
-$ pgp lucence-1.4.tar.gz.asc
+$ pgp lucene-x.y.z.tar.gz.asc
 or,
 $ gpg --import KEYS
-$ gpg --verify lucene-1.4.tar.gz.asc
+$ gpg --verify lucene-x.y.z.tar.gz.asc
+</pre>
+
+<h3>Checking the hashes</h3>
+<p>
+    Alongside the release artifacts in the official Apache dist site you will also find other
+    files providing checksum hashes for each file, with suffix .sha1, .sha512. or .md5. 
+    E.g. for <samp>lucene-x.y.z.tgz</samp> the <samp>lucene-x.y.z.tgz.sha1</samp> file provides
+    the SHA-1 checksum. These are useful to verify that your download was complete and valid, 
+    but will not prove that your download was digitally signed by an actual Apache committer. 
+    For that you must check the .asc signature.
+</p>
+
+<pre>Calculate the checksum of your download and compare to the contents of the checksum files
+$ shasum [-a 512] lucene-x.y.z.tgz
+$ md5 lucene-x.y.z.tgz
 </pre>
 
 <a name="archive"><h2>Older Versions</h2></a>

Modified: release/lucene/pylucene/README.html
==============================================================================
--- release/lucene/pylucene/README.html (original)
+++ release/lucene/pylucene/README.html Tue Sep  4 12:37:41 2018
@@ -27,19 +27,19 @@ of tar on Solaris will not work with the
 there will be an accompanying <samp><em>file</em>.asc</samp> signature
 file in the same directory as the file.  The signing keys can be found in
 the distribution directory at &lt;<a
-HREF="http://www.apache.org/dist/lucene/pylucene/KEYS"><samp>http://www.apache.org/dist/lucene/pylucene/KEYS</samp></a>&gt;.</p>
+HREF="https://www.apache.org/dist/lucene/pylucene/KEYS"><samp>https://www.apache.org/dist/lucene/pylucene/KEYS</samp></a>&gt;.</p>
 
 <p><b>Always download the KEYS file directly from the Apache site, never from a mirror site.</b></p>
 
 <pre>Always test available signatures, <i>e.g.</i>,
 $ pgpk -a KEYS
-$ pgpk pylucene-2.4.1-1-src.tar.gz.asc
+$ pgpk pylucene-x.y.z-src.tar.gz.asc
 or,
 $ pgp -ka KEYS
-$ pgp pylucene-2.4.1-1-src.tar.gz.asc
+$ pgp pylucene-x.y.z-src.tar.gz.asc
 or,
 $ gpg --import KEYS
-$ gpg --verify pylucene-2.4.1-src.tar.gz.asc
+$ gpg --verify pylucene-x.y.z-src.tar.gz.asc
 </pre>
 
 <!--

Modified: release/lucene/solr/README.html
==============================================================================
--- release/lucene/solr/README.html (original)
+++ release/lucene/solr/README.html Tue Sep  4 12:37:41 2018
@@ -1,29 +1,23 @@
 <img src="http://lucene.apache.org/solr/assets/images/Solr_Logo_200x101.png" height="75" align="right">
-<h1>Solr Downloads</h1>
+<h1>Apache Solr Downloads</h1>
 
 <ul>
  <li><a href="#mirror">Use a mirror</a></li>
- <li><a href="#targz">Note About tar.gz Files</a></li>
  <li><a href="#changes">Documentation and Changes</a></li>
  <li><a href="#sig">Signatures and hashes</a></li>
  <li><a href="#archive">Older Versions</a></li>
 </ul>
 
-<a name="targz"><h2>Use a mirror</h2></a>
+<a name="mirror"><h2>Use a mirror</h2></a>
 <p>Please make sure you're downloading from <a
 href="http://www.apache.org/dyn/closer.lua/lucene/solr/">a nearby
 mirror site</a>, not directly from www.apache.org.</p>
 
-<a name="targz"><h2>Note About tar.gz Files</h2></a>
-<p>The tar files in the distribution use GNU tar extensions
-and must be untarred with a GNU compatible version of tar. The version
-of tar on Solaris will not work with these files</p>
-
-<a name="changes"><h2>Changes</h2></a>
+<a name="changes"><h2>Documentation and Changes</h2></a>
 <p>The official Solr Reference Guide can be downloaded from the <a href="ref-guide">ref-guide</a> folder.</p>
 <p>The changes in each release are detailed in the release notes, to be found in the <code>changes</code> folder for the release.</p>
 
-<p>Thank you for using <a href="http://lucene.apache.org/solr/">Solr</a>.</p>
+<p>Thank you for using <a href="http://lucene.apache.org/solr/">Apache Solr</a>.</p>
 
 <a name="sig"><h2>Signatures and hashes</h2></a>