You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ja...@apache.org on 2018/09/04 12:37:41 UTC
svn commit: r29127 - in /release/lucene: java/README.html
pylucene/README.html solr/README.html
Author: janhoy
Date: Tue Sep 4 12:37:41 2018
New Revision: 29127
Log:
Update dist site READMEs with more details about signing etc
Modified:
release/lucene/java/README.html
release/lucene/pylucene/README.html
release/lucene/solr/README.html
Modified: release/lucene/java/README.html
==============================================================================
--- release/lucene/java/README.html (original)
+++ release/lucene/java/README.html Tue Sep 4 12:37:41 2018
@@ -1,43 +1,65 @@
-<h1>Lucene Java Downloads</h1>
+<img src="http://lucene.apache.org/images/lucene_logo_green_300.png" height="75" align="right">
+<h1>Apache Lucene Java Downloads</h1>
<ul>
- <li><a href="#targz">Note About tar.gz Files</a></li>
+ <li><a href="#mirror">Use a mirror</a></li>
<li><a href="#changes">Changes</a></li>
<li><a href="#sig">Signatures</a></li>
<li><a href="#archive">Older Versions</a></li>
</ul>
-<a name="targz"><h2>Note About tar.gz Files</h2></a>
-<p>
-The tar files in the distribution use GNU tar extensions
-and must be untarred with a GNU compatible version of tar. The version
-of tar on Solaris and Mac OS X will not work with these files</p>
-</p>
+<a name="mirror"><h2>Use a mirror</h2></a>
+<p>Please make sure you're downloading from <a
+href="http://www.apache.org/dyn/closer.lua/lucene/java/">a nearby
+mirror site</a>, not directly from www.apache.org.</p>
+
<a name="changes"><h2>Changes</h2></a>
<p>The changes in this release are detailed in the release notes.</p>
-<p>Thank you for using <a href="http://lucene.apache.org/java/">Lucene</a>.</p>
+<p>Thank you for using <a href="http://lucene.apache.org/java/">Apache Lucene</a>.</p>
-<a name="sig"><h2>Signatures</h2></a>
+<a name="sig"><h2>Signatures and hashes</h2></a>
-<p>Many of the files have been digitally signed using GnuPG. If so,
-there will be an accompanying <samp><em>file</em>.asc</samp> signature
-file in the same directory as the file (binaries/ or source/). The
-signing keys can be found in the distribution directory at <<a
-HREF="http://www.apache.org/dist/lucene/java/KEYS"><samp>http://www.apache.org/dist/lucene/java/KEYS</samp></a>>.</p>
+<p>All official source and binary releases are digitally signed using GnuPG.
+ You are encouraged to verify that your download is the official one by verifying
+ the digital signature. To do this you need, in addition to the downloaded file:
+</p>
+
+<ul>
+ <li>the pgp or gpg software</li>
+ <li>the official <samp><em>KEYS</em></samp> file for the project</li>
+ <li>the <samp><em>file</em>.asc</samp> file corresponding to your download</li>
+</ul>
-<p><b>Always download the KEYS file directly from the Apache site, never from a mirror site.</b></p>
+<p><b>Always download the <em>KEYS</em> and <em>.asc</em> files directly from the Apache site at
+ <<a href="https://www.apache.org/dist/lucene/java/"><samp>https://www.apache.org/dist/lucene/java/</samp></a>>,
+ and always over HTTPS. Never trust KEYS from a mirror site. <a href="https://www.apache.org/info/verification.html">Read more</a></b></p>
<pre>Always test available signatures, <i>e.g.</i>,
$ pgpk -a KEYS
-$ pgpk lucene-1.4.tar.gz.asc
+$ pgpk lucene-x.y.z.tar.gz.asc
or,
$ pgp -ka KEYS
-$ pgp lucence-1.4.tar.gz.asc
+$ pgp lucene-x.y.z.tar.gz.asc
or,
$ gpg --import KEYS
-$ gpg --verify lucene-1.4.tar.gz.asc
+$ gpg --verify lucene-x.y.z.tar.gz.asc
+</pre>
+
+<h3>Checking the hashes</h3>
+<p>
+ Alongside the release artifacts in the official Apache dist site you will also find other
+ files providing checksum hashes for each file, with suffix .sha1, .sha512. or .md5.
+ E.g. for <samp>lucene-x.y.z.tgz</samp> the <samp>lucene-x.y.z.tgz.sha1</samp> file provides
+ the SHA-1 checksum. These are useful to verify that your download was complete and valid,
+ but will not prove that your download was digitally signed by an actual Apache committer.
+ For that you must check the .asc signature.
+</p>
+
+<pre>Calculate the checksum of your download and compare to the contents of the checksum files
+$ shasum [-a 512] lucene-x.y.z.tgz
+$ md5 lucene-x.y.z.tgz
</pre>
<a name="archive"><h2>Older Versions</h2></a>
Modified: release/lucene/pylucene/README.html
==============================================================================
--- release/lucene/pylucene/README.html (original)
+++ release/lucene/pylucene/README.html Tue Sep 4 12:37:41 2018
@@ -27,19 +27,19 @@ of tar on Solaris will not work with the
there will be an accompanying <samp><em>file</em>.asc</samp> signature
file in the same directory as the file. The signing keys can be found in
the distribution directory at <<a
-HREF="http://www.apache.org/dist/lucene/pylucene/KEYS"><samp>http://www.apache.org/dist/lucene/pylucene/KEYS</samp></a>>.</p>
+HREF="https://www.apache.org/dist/lucene/pylucene/KEYS"><samp>https://www.apache.org/dist/lucene/pylucene/KEYS</samp></a>>.</p>
<p><b>Always download the KEYS file directly from the Apache site, never from a mirror site.</b></p>
<pre>Always test available signatures, <i>e.g.</i>,
$ pgpk -a KEYS
-$ pgpk pylucene-2.4.1-1-src.tar.gz.asc
+$ pgpk pylucene-x.y.z-src.tar.gz.asc
or,
$ pgp -ka KEYS
-$ pgp pylucene-2.4.1-1-src.tar.gz.asc
+$ pgp pylucene-x.y.z-src.tar.gz.asc
or,
$ gpg --import KEYS
-$ gpg --verify pylucene-2.4.1-src.tar.gz.asc
+$ gpg --verify pylucene-x.y.z-src.tar.gz.asc
</pre>
<!--
Modified: release/lucene/solr/README.html
==============================================================================
--- release/lucene/solr/README.html (original)
+++ release/lucene/solr/README.html Tue Sep 4 12:37:41 2018
@@ -1,29 +1,23 @@
<img src="http://lucene.apache.org/solr/assets/images/Solr_Logo_200x101.png" height="75" align="right">
-<h1>Solr Downloads</h1>
+<h1>Apache Solr Downloads</h1>
<ul>
<li><a href="#mirror">Use a mirror</a></li>
- <li><a href="#targz">Note About tar.gz Files</a></li>
<li><a href="#changes">Documentation and Changes</a></li>
<li><a href="#sig">Signatures and hashes</a></li>
<li><a href="#archive">Older Versions</a></li>
</ul>
-<a name="targz"><h2>Use a mirror</h2></a>
+<a name="mirror"><h2>Use a mirror</h2></a>
<p>Please make sure you're downloading from <a
href="http://www.apache.org/dyn/closer.lua/lucene/solr/">a nearby
mirror site</a>, not directly from www.apache.org.</p>
-<a name="targz"><h2>Note About tar.gz Files</h2></a>
-<p>The tar files in the distribution use GNU tar extensions
-and must be untarred with a GNU compatible version of tar. The version
-of tar on Solaris will not work with these files</p>
-
-<a name="changes"><h2>Changes</h2></a>
+<a name="changes"><h2>Documentation and Changes</h2></a>
<p>The official Solr Reference Guide can be downloaded from the <a href="ref-guide">ref-guide</a> folder.</p>
<p>The changes in each release are detailed in the release notes, to be found in the <code>changes</code> folder for the release.</p>
-<p>Thank you for using <a href="http://lucene.apache.org/solr/">Solr</a>.</p>
+<p>Thank you for using <a href="http://lucene.apache.org/solr/">Apache Solr</a>.</p>
<a name="sig"><h2>Signatures and hashes</h2></a>