[ https://issues.apache.org/jira/browse/GROOVY-9458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17080450#comment-17080450 ]
Paul King commented on GROOVY-9458: ----------------------------------- Looks like there is no issue from the Infra point of view. I have sent an email to trademarks to check on branding issues. I'll report back here when I hear further. > Missing sigs and hashes on download page > ---------------------------------------- > > Key: GROOVY-9458 > URL: https://issues.apache.org/jira/browse/GROOVY-9458 > Project: Groovy > Issue Type: Bug > Reporter: Sebb > Priority: Major > > The public download page includes links to several Windows installer > executables. > These have neither signatures nor hashes. > However as per [1] > "All supplied packages MUST be cryptographically signed by the Release > Manager with a detached signature" > And as per [2] > "For every artifact distributed to the public through Apache channels, the > PMC ... MUST supply at least one checksum file" > Please either remove the links or provide the required sigs and hashes. > Thanks. > [1] http://www.apache.org/legal/release-policy.html#release-signing > [2] https://www.apache.org/dev/release-distribution#sigs-and-sums -- This message was sent by Atlassian Jira (v8.3.4#803005)