> From what I can see, hashes and signatures are both missing on the > download mirrors for Lucene and Solr. That's probably prudent for > hashes, but should signatures be there?
I vaguely remembering raising this issue before -- though it might have been regarding a different Apache project. From what I remember, the ASF signature guidelines don't require software signing keys to be signed by anyone in particular. So unless the signature file is on the (https) Apache download site, it's probably effectively useless. After all there's nothing stopping me from setting up a rogue mirror, creating a "Shawn Heisey <apa...@elyograg.org>" GPG key and signing my fake release with it. Including signatures on mirrors would only lead to sloppy verification by whoever is downloading the software. That is, unless there's some kind of web of trust in the release signature, but that currently doesn't seem to be the case. - Bram --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org