The current Apache policy is to not mirror PGP signatures of releases to
the mirrors, because it provides a false sense of trust. For example, if
you look at a mirror such as http://apache.claz.org/hive/hive-0.10.0/,
you'll only see the two tarballs. If you look at the Apache site
http://www.us.apache.org/dist/hive/hive-0.10.0/, you'll see the tarballs,
md5s, and asc.
In the same way, it doesn't seem right to put the KEYS file in a file
that is included in the mirrors. Fortunately, Apache already has a service
that builds a pgp keys file dynamically from ldap. Hive's file can be found
I propose that we remove the KEYS file from our dist area and add some
text to http://hive.apache.org/releases.html that points to how to check
the signatures and checksums of the releases. We can include the old KEYS
file in the site for checking old releases.