...kess 2002/12/16 12:56:17
Modified: docs/manual Tag: APACHE_2_0_BRANCH install.xml
install.xml.de install.html.en install.html.de
Log:
- make sure, see also titles match with linked document titles
- remove notes about alpha and beta releases
- update download links to the mirror page
<section id="download"><title>Download</title>
<p>Apache can be downloaded from the <a
- href="http://www.apache.org/dist/httpd/";>Apache Software
- Foundation download site</a> or from a <a
- href="http://www.apache.org/dyn/closer.cgi/httpd/";>nearby
- mirror</a>.</p>
+1 on encouraging people to download from the mirrors, but IMO we shouldn't hide the main distribution directory too much. Especially for sensitive date, we should ensure that the people can get them directly; see comments below...
-
- <p>Version numbers that end in <code>alpha</code> indicate
- early pre-test versions which may or may not work. Version
- numbers ending in <code>beta</code> indicate more reliable
- releases that still require further testing or bug fixing. If
- you wish to download the best available production release of
- the Apache HTTP Server, you should choose the latest version
- with neither <code>alpha</code> nor <code>beta</code> in its
- filename.</p>
+ href="http://httpd.apache.org/download.cgi";>Apache HTTP Server
+ download site</a> which lists several mirrors. You'll find here
+ the latest stable release.</p>
+1 on removing the notes about alpha and beta releases, this really wasn't very helpful for the end-user.
<p>After downloading, especially if a mirror site is used, it
is important to verify that you have a complete and unmodified
@@ -164,10 +154,10 @@
testing the downloaded tarball against the PGP signature. This,
in turn, is a two step procedure. First, you must obtain the
<code>KEYS</code> file from the <a
Shouldn't we link the KEYS file directly to http://www.apache.org/dist/httpd/KEYS? This would ensure that a) the user gets a 'controlable' version of this sensitive data and b) we stay consistent with http://httpd.apache.org/download.cgi#verify.
> - href="http://www.apache.org/dist/httpd/";>Apache distribution > - site</a>. (To assure that the <code>KEYS</code> file itself has
- not been modified, it may be a good idea to use a file from a - previous distribution of Apache or import the keys from a + href="http://httpd.apache.org/download.cgi";>Apache HTTP + Server download site</a>, too. (To assure that the <code>KEYS</code> + file itself has not been modified, it may be a good idea to use a + file from a previous distribution of Apache or import the keys from a public key server.) The keys are imported into your personal key ring using one of the following commands (depending on your pgp version):</p> @@ -180,7 +170,7 @@
See above comment: we really should encourage people to use the KEYS file from the dist directory instead of fetching it from a mirror.
<p>The next step is to test the tarball against the PGP
signature, which should always be obtained from the <a
- href="http://www.apache.org/dist/httpd/";>main Apache
+ href="http://httpd.apache.org/download.cgi";>main Apache
website</a>. The signature file has a filename identical to the
source tarball with the addition of <code>.asc</code>. Then you
can check the distribution with one of the following commands
Also the 'main Apache website' shouldn't link to download.cgi.
Just a quote from the linked download.cgi:
'The PGP signatures can be verified using PGP or GPG. First download the _KEYS_ as well as the asc signature file for the particular distribution. Make sure you get these files from the _main distribution directory_, rather than from a mirror.'
_x_ = link
cheers, erik
