Great. Thanks. On Sep 17, 2012 9:00 PM, "Holly Cummins" <[email protected]> wrote:
> Hi Jeremy, > > I was also asked to remove those files. :) It looks like the .asc.md5 > and .asc.sha1 files are produced by an interaction between the GPG > plugin and the maven release plugin. I found a few Apache projects > whose release instructions said the files should be deleted, so I went > ahead and removed them, and corrected our scripts so they don't get > uploaded in future. > > Holly > > On Mon, Sep 17, 2012 at 3:43 PM, Jeremy Hughes <[email protected]> wrote: > > It's been pointed out that we have a large number of these files in > > www.apache.org/dist/aries and that they don't serve any purpose. When > > I looked again at > > > > http://www.apache.org/dev/release-signing#check-integrity > > > > I realised we only need: > > > > <released artifact> > > <released artifact>.asc > > <released artifact>.md5 > > <released artifact>.sha1 > > > > in fact we probably should have .sha512 as well but that's another > > discussion. There's no need to provide hash sums of the signatures! > > > > So ... you can check the validity of the released artifact by > > downloading from anywhere that's serving it up as long as you compare > > the its hash with the hash in the hashsum file served out from > > apache.org. > > > > Verifying the signature will go that step further by checking that the > > person who created the released artifact is in the Apache web of > > trust. > > > > So, I would like to remvoe the the superfluous .asc.md5 / .asc.sha1 > > files and for us to not create them in our release process any longer. > > I'll remove them in 24 hours to wait for objections, if any. > > > > Thanks, > > Jeremy >
