You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Karl Heinz Marbaise (JIRA)" <ji...@apache.org> on 2018/06/01 11:26:00 UTC
[jira] [Closed] (MNG-6421) Please add a signature to apache
downloads
[ https://issues.apache.org/jira/browse/MNG-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Heinz Marbaise closed MNG-6421.
------------------------------------
Resolution: Cannot Reproduce
Based on the feedback we close this. Thanks.
> Please add a signature to apache downloads
> ------------------------------------------
>
> Key: MNG-6421
> URL: https://issues.apache.org/jira/browse/MNG-6421
> Project: Maven
> Issue Type: Bug
> Components: General
> Reporter: Olaf Flebbe
> Priority: Major
>
> While trying to fix maven download in the Apache Bigtop toolchain:
> There seems to be no way to verify the integrity of the Maven releases at apache and their mirrors.
> Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged for larger files from INFRA. The download links are either not secure or not on the same trustlevel as https://www.apache.org
> I would recommend to have a https:// link to a gnupg file signature (asc) which can be downloaded from [www.apache.org/dist|http://www.apache.org/dist] (Please see ant as an example).
> Signatures should be provided for both source and binaries.
> Please correct me if there is a different way to either have an secure and trusted download or a way to automatically verify.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)