Oh, I see. I think I had misread the last comment on https://github.com/apache/incubator-pulsar/issues/986
So, the download links for the tgzs, should always point to the mirrors, while KEYS and signatures will all come from dist with HTTPS. I'll make the change quickly, thanks for pointing this out. Matteo On Tue, Jan 30, 2018 at 9:53 AM Dave Fisher <dave2w...@comcast.net> wrote: > Hi - > > I just noticed that the links to the current release asc, md5, and sha512 > are currently pointing to the mirrors. These need to be adjusted to point > to the location at dist.apache.org. The reason is that a mirror could be > compromised or corrupted and these small files used to verify a download > should be from the master source. > > Regards, > Dave > -- Matteo Merli <mme...@apache.org>
