[ https://issues.apache.org/jira/browse/GROOVY-9458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072691#comment-17072691 ]
Sebb commented on GROOVY-9458: ------------------------------ My reading of the cited pages is that the rules apply to all packages, regardless of origin. If you disagree with this, I suggest you ask for clarification from the page owners. > Missing sigs and hashes on download page > ---------------------------------------- > > Key: GROOVY-9458 > URL: https://issues.apache.org/jira/browse/GROOVY-9458 > Project: Groovy > Issue Type: Bug > Reporter: Sebb > Priority: Major > > The public download page includes links to several Windows installer > executables. > These have neither signatures nor hashes. > However as per [1] > "All supplied packages MUST be cryptographically signed by the Release > Manager with a detached signature" > And as per [2] > "For every artifact distributed to the public through Apache channels, the > PMC ... MUST supply at least one checksum file" > Please either remove the links or provide the required sigs and hashes. > Thanks. > [1] http://www.apache.org/legal/release-policy.html#release-signing > [2] https://www.apache.org/dev/release-distribution#sigs-and-sums -- This message was sent by Atlassian Jira (v8.3.4#803005)