[ https://issues.apache.org/jira/browse/MNG-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497659#comment-16497659 ]
Olaf Flebbe commented on MNG-6421: ---------------------------------- Yes, thank you very much! It turned out a website problem. Please close > Please add a signature to apache downloads > ------------------------------------------ > > Key: MNG-6421 > URL: https://issues.apache.org/jira/browse/MNG-6421 > Project: Maven > Issue Type: Bug > Components: General > Reporter: Olaf Flebbe > Priority: Major > > While trying to fix maven download in the Apache Bigtop toolchain: > There seems to be no way to verify the integrity of the Maven releases at > apache and their mirrors. > Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged > for larger files from INFRA. The download links are either not secure or not > on the same trustlevel as https://www.apache.org > I would recommend to have a https:// link to a gnupg file signature (asc) > which can be downloaded from > [www.apache.org/dist|http://www.apache.org/dist] (Please see ant as an > example). > Signatures should be provided for both source and binaries. > Please correct me if there is a different way to either have an secure and > trusted download or a way to automatically verify. -- This message was sent by Atlassian JIRA (v7.6.3#76005)