LGTM > On Jan 30, 2018, at 10:27 AM, Matteo Merli <mme...@apache.org> wrote: > > Dave, > > I have created https://github.com/apache/incubator-pulsar/pull/1148 with a > fix for this. > > Matteo > > On Tue, Jan 30, 2018 at 9:59 AM Matteo Merli <mme...@apache.org> wrote: > >> Oh, I see. I think I had misread the last comment on >> https://github.com/apache/incubator-pulsar/issues/986 >> >> So, the download links for the tgzs, should always point to the mirrors, >> while KEYS and signatures will all come from dist with HTTPS. >> >> I'll make the change quickly, thanks for pointing this out. >> >> Matteo >> >> On Tue, Jan 30, 2018 at 9:53 AM Dave Fisher <dave2w...@comcast.net> wrote: >> >>> Hi - >>> >>> I just noticed that the links to the current release asc, md5, and sha512 >>> are currently pointing to the mirrors. These need to be adjusted to point >>> to the location at dist.apache.org. The reason is that a mirror could be >>> compromised or corrupted and these small files used to verify a download >>> should be from the master source. >>> >>> Regards, >>> Dave >>> >> -- >> Matteo Merli >> <mme...@apache.org> >> > -- > Matteo Merli > <mme...@apache.org>
signature.asc
Description: Message signed with OpenPGP
