[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295114#comment-17295114 ]
Rohit Yadav commented on CLOUDSTACK-10280: ------------------------------------------ [~sebb] Thanks for the ticket. I've fixed the https usage and sha512 file link on the website now. Pl check and close. On MD5, I've not removed it - is the deprecation part of ASF policy, is there any email you can point me to. Also - we're not using Jira anymore, you may want to use Github in future to get community's attention: http://github.com/apache/cloudstack/issues > Please use HTTPS for KEYS, sigs and hashes > ------------------------------------------ > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Reporter: Sebb > Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)