You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2018/01/26 17:06:00 UTC

[jira] [Reopened] (LOG4J2-2223) Download page must not link to dist.apache.org

     [ https://issues.apache.org/jira/browse/LOG4J2-2223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebb reopened LOG4J2-2223:
--------------------------

The page does not provide much detail on download verification.

The following page is pretty good:

http://logging.apache.org/log4j/2.x/download.html

However the gpg command should really be:

gpg --verify apache-log4j-2.10.0-bin.tar.gz.asc apache-log4j-2.10.0-bin.tar.gz

> Download page must not link to dist.apache.org
> ----------------------------------------------
>
>                 Key: LOG4J2-2223
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2223
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: Sebb
>            Assignee: Matt Sicker
>            Priority: Major
>
> The Chainsaw download page
> http://logging.apache.org/chainsaw/2.x/download.html
> links to dist.apache.org for hashes and sigs.
> This is not allowed; dist.a.o is only for use by ASF developers staging or publishing releases.
> Please use https://www.apache.org/dist/logging... instead
> Also the page must link to the KEYS file:
> https://www.apache.org/dist/logging/KEYS
> and should provide info on download verification.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)