[jira] Resolved: (DIR-223) Add some info on download to suggest users to verify the downloaded signature

Tue, 02 Sep 2008 04:26:19 -0700 

     [ 
https://issues.apache.org/jira/browse/DIR-223?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Emmanuel Lecharny resolved DIR-223.
-----------------------------------

    Resolution: Fixed

Some documentation has been added on each download page, on our web site.

> Add some info on download to suggest users to verify the downloaded signature
> -----------------------------------------------------------------------------
>
>                 Key: DIR-223
>                 URL: https://issues.apache.org/jira/browse/DIR-223
>             Project: Directory
>          Issue Type: Task
>            Reporter: Emmanuel Lecharny
>            Assignee: Alex Karasulu
>            Priority: Blocker
>
> As pointed out by Stefano :
> Not related to Google Analytics, but I cannot see anywhere a place where
> you suggest users to verify their downloads (and links to the PGP/MD5
> files) and maybe you can fix this while you're there.
> here is the text we use in Apache JAMES:
> --------------
> Use the links below to download the Apache JAMES Mail Server from one of
> our mirrors. You *must* verify the integrity of the downloaded files
> using signatures downloaded from our main distribution directory.
> ----------------------
> Then verify the integrity points to this paragraph:
> -------------------------
> Verify the integrity of the files
> It is essential that you verify the integrity of the downloaded files
> using the PGP or MD5 signatures. The PGP signatures can be verified
> using PGP or GPG. First download the KEYS as well as the asc signature
> file for the particular distribution. Make sure you get these files from
> the main distribution directory, rather than from a mirror. Then verify
> the signatures using % pgpk -a KEYS
> % pgpv james-version.tar.gz.asc
> or
> % pgp -ka KEYS
> % pgp james-version.tar.gz.asc
> or
> % gpg --import KEYS
> % gpg --verify james-version.tar.gz.asc
> -------------------------------
> Also make sure you provide the MD5 and PGP links to the official main
> ASF distribution site (www.apache.org/dist/).
> As far as I know ASF *requires* signing for releases and strongly
> suggest to "incentivate" users to verify downloads.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to