Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hive >> mail # dev >> Removing the PGP sigs from dist


Copy link to this message
-
Re: Removing the PGP sigs from dist
+1 .
While you are editing the releases.html, if its not too much, can you also
make the download link more visible ? People tend to scroll down and expect
a download link next to the release number. Making it clear that there are
two sections might help.
On Wed, May 15, 2013 at 9:37 PM, Owen O'Malley <[EMAIL PROTECTED]> wrote:

> All,
>    The current Apache policy is to not mirror PGP signatures of releases to
> the mirrors, because it provides a false sense of trust. For example, if
> you look at a mirror such as http://apache.claz.org/hive/hive-0.10.0/,
> you'll only see the two tarballs. If you look at the Apache site
> http://www.us.apache.org/dist/hive/hive-0.10.0/, you'll see the tarballs,
> md5s, and asc.
>
>   In the same way, it doesn't seem right to put the KEYS file in a file
> that is included in the mirrors. Fortunately, Apache already has a service
> that builds a pgp keys file dynamically from ldap. Hive's file can be found
> at: https://people.apache.org/keys/group/hive.asc
>
>   I propose that we remove the KEYS file from our dist area and add some
> text to http://hive.apache.org/releases.html that points to how to check
> the signatures and checksums of the releases. We can include the old KEYS
> file in the site for checking old releases.
>
>   Thoughts?
>
> Thanks,
>    Owen
>
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB