Thanks Daniel, I guess that does make sense, I've never seen checksums as anything other than "they match so the download isnt corrupted", never used it for authenticity :)
On Tue, Jul 22, 2025 at 8:44 PM Daniel Gruno <humbed...@apache.org> wrote: > On 7/21/25 22:55, Nick Edwards wrote: > > All good on gentoo > > > > Also, can I ask why, and this is a long time problem, the sigs dont make > > it to wherever rsync lives? > > Any chance this can get fixed? > > I have over time emailed infra twice ( probably 6 months apart) but get > > no response, probably because i'm not with ASF so they junk it. > > Sure this is not the development but "release" where I think more > > important :) Yes, the sigs are as Rainer points out, in the dev. > > The checksum/signature files have historically been omitted from the > mirror system, and will continue to be omitted in the foreseeable future. > > This is to force users to only verify against signatures and checksums > from trusted apache.org sources where we can vouch for the authenticity > of those files, especially the less secure checksum files. > > Work is underway on a brand new distribution system that will better > address modern requirements like CRA/CISA policies, but in the meantime, > users will still need to verify against signatures and checksums from > trusted sources. > > > > > rsync -v rsync.apache.org::apache-dist/httpd/ > > receiving file list ... done > > drwxrwxr-x 4,096 2025/07/11 11:21:36 . > > -rw-rw-r-- 3,994 2014/09/03 05:17:36 .htaccess > > -rw-rw-r-- 3,880 2025/07/10 21:37:55 Announcement2.4.html > > -rw-rw-r-- 2,515 2025/07/10 21:37:55 Announcement2.4.txt > > -rw-rw-r-- 383,176 2025/07/11 11:21:28 CHANGES_2.4 > > -rw-rw-r-- 9,015 2025/07/11 11:21:28 CHANGES_2.4.64 > > -rw-rw-r-- 0 2025/07/10 21:57:02 CURRENT-IS-2.4.64 > > -rw-rw-r-- 458 2024/07/18 04:03:46 HEADER.html > > -rw-rw-r-- 2,073 2024/07/18 03:55:16 README.html > > -rw-rw-r-- 7,293,281 2025/07/10 21:37:55 httpd-2.4.64.tar.bz2 > > -rw-rw-r-- 9,590,595 2025/07/10 21:37:55 httpd-2.4.64.tar.gz > > -rw-rw-r-- 19,006 2016/12/22 06:14:45 httpd_logo_wide_new.png > > drwxrwxr-x 4,096 2022/06/17 21:25:12 binaries > > drwxrwxr-x 4,096 2022/06/17 21:25:19 docs > > drwxrwxr-x 4,096 2022/08/25 23:10:44 libapreq > > drwxrwxr-x 4,096 2022/06/17 21:25:19 mod_fcgid > > drwxrwxr-x 4,096 2022/06/17 21:25:19 mod_ftp > > drwxrwxr-x 4,096 2023/04/11 09:12:00 patches > > > > > > > > On Mon, Jul 21, 2025 at 10:31 PM Eric Covener <cove...@gmail.com > > <mailto:cove...@gmail.com>> wrote: > > > > Hi all, > > > > Please find below the proposed release tarball and signatures: > > > > https://dist.apache.org/repos/dist/dev/httpd/ <https:// > > dist.apache.org/repos/dist/dev/httpd/> > > > > I would like to call a VOTE over the next few days to release > > this candidate tarball httpd-2.4.65-rc3 as 2.4.65: > > [ ] +1: It's not just good, it's good enough! > > [ ] +0: Let's have a talk. > > [ ] -1: There's trouble in paradise. Here's what's wrong. > > > > The computed digests of the tarball up for vote are: > > sha256: > 4f92861a50325c6d1046ebad5d814bff0d4169ada8cc265655f32b7f1ba4be1b > > *httpd-2.4.65-rc3.tar.gz > > sha512: > > > > b5824f85481e8617c35bd9da9ee5d933d6d744646e84ebf0471f87e4075f48c6f6f2b38f8234ad63ecc2816cad389c356cad574bc44d4fa7999ecf7579e24c1e > > *httpd-2.4.65-rc3.tar.gz > > > > The candidate source is found at > > <https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.65-rc3- > > candidate <https://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.65- > > rc3-candidate>> > > and at <https://github.com/apache/httpd/tree/2.4.65-rc3-candidate > > <https://github.com/apache/httpd/tree/2.4.65-rc3-candidate>>. > > > > -- > > Eric Covener > > cove...@gmail.com <mailto:cove...@gmail.com> > > > >
