Owen O'Malley 2013-05-16, 04:37
-Re: Removing the PGP sigs from dist
Thejas Nair 2013-05-18, 01:46
While you are editing the releases.html, if its not too much, can you also
make the download link more visible ? People tend to scroll down and expect
a download link next to the release number. Making it clear that there are
two sections might help.
On Wed, May 15, 2013 at 9:37 PM, Owen O'Malley <[EMAIL PROTECTED]> wrote:
> The current Apache policy is to not mirror PGP signatures of releases to
> the mirrors, because it provides a false sense of trust. For example, if
> you look at a mirror such as http://apache.claz.org/hive/hive-0.10.0/,
> you'll only see the two tarballs. If you look at the Apache site
> http://www.us.apache.org/dist/hive/hive-0.10.0/, you'll see the tarballs,
> md5s, and asc.
> In the same way, it doesn't seem right to put the KEYS file in a file
> that is included in the mirrors. Fortunately, Apache already has a service
> that builds a pgp keys file dynamically from ldap. Hive's file can be found
> at: https://people.apache.org/keys/group/hive.asc
> I propose that we remove the KEYS file from our dist area and add some
> text to http://hive.apache.org/releases.html that points to how to check
> the signatures and checksums of the releases. We can include the old KEYS
> file in the site for checking old releases.