You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Olaf Flebbe (JIRA)" <ji...@apache.org> on 2018/05/31 17:49:00 UTC

[jira] [Created] (MNG-6421) Please add a signature to apache downloads

Olaf Flebbe created MNG-6421:
--------------------------------

             Summary: Please add a signature to apache downloads
                 Key: MNG-6421
                 URL: https://issues.apache.org/jira/browse/MNG-6421
             Project: Maven
          Issue Type: Bug
          Components: General
            Reporter: Olaf Flebbe


While trying to fix maven download in the Apache Bigtop toolchain:

There seems to be no way to verify the integrity of the Maven releases at apache and their mirrors.

Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged for larger files from INFRA. The download links are either not secure or not on the same trustlevel as https://www.apache.org

I would recommend to have a https:// link to a gnupg file signature (asc) which can be downloaded from   [www.apache.org/dist|http://www.apache.org/dist]  (Please see ant as an example).

Signatures should be provided for both source and binaries.

Please correct me if there is a different way to either have an secure and trusted download or a way to automatically verify.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)