[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295406#comment-17295406 ] Rohit Yadav commented on CLOUDSTACK-10280: -- PR proposed to fix this - https://github.com/apache/cloudstack/pull/4751/files > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (CLOUDSTACK-9344) KEYS file link should point to ASF mirror
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sebb resolved CLOUDSTACK-9344. -- Resolution: Fixed Ok, thanks > KEYS file link should point to ASF mirror > - > > Key: CLOUDSTACK-9344 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9344 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Environment: http://cloudstack.apache.org/downloads.html >Reporter: Sebb >Priority: Major > > It's good that the download page includes a link to the KEYS file along with > detaisl of how to use it. > However the link in the "Verifying Downloads" box should not be to SVN dist; > instead it should be to > https://www.apache.org/dist/cloudstack/KEYS > Also all the KEYS, PGP, MD5 and SHA links should use https rather than http > please. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295395#comment-17295395 ] Rohit Yadav commented on CLOUDSTACK-10280: -- [~sebb] Alright, I've removed MD5 links from the website but not since the policy says we don't need to remove for existing releases. For all future releases, I'll remove from our build/publishing scripts to avoid doing md5 checksums. > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-9344) KEYS file link should point to ASF mirror
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295394#comment-17295394 ] Rohit Yadav commented on CLOUDSTACK-9344: - Fixed now [~sebb] > KEYS file link should point to ASF mirror > - > > Key: CLOUDSTACK-9344 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9344 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Environment: http://cloudstack.apache.org/downloads.html >Reporter: Sebb >Priority: Major > > It's good that the download page includes a link to the KEYS file along with > detaisl of how to use it. > However the link in the "Verifying Downloads" box should not be to SVN dist; > instead it should be to > https://www.apache.org/dist/cloudstack/KEYS > Also all the KEYS, PGP, MD5 and SHA links should use https rather than http > please. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295224#comment-17295224 ] Sebb commented on CLOUDSTACK-10280: --- Yes, MD5 deprecation is part of policy https://infra.apache.org/release-distribution#sigs-and-sums As to using GitHub instead of JIRA, please ask INFRA to make JIRA read-only > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-9344) KEYS file link should point to ASF mirror
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295222#comment-17295222 ] Sebb commented on CLOUDSTACK-9344: -- The KEYS link under "Verifying downloads" has not been fixed > KEYS file link should point to ASF mirror > - > > Key: CLOUDSTACK-9344 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9344 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Environment: http://cloudstack.apache.org/downloads.html >Reporter: Sebb >Priority: Major > > It's good that the download page includes a link to the KEYS file along with > detaisl of how to use it. > However the link in the "Verifying Downloads" box should not be to SVN dist; > instead it should be to > https://www.apache.org/dist/cloudstack/KEYS > Also all the KEYS, PGP, MD5 and SHA links should use https rather than http > please. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-5511) Please delete old releases from mirroring system
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295119#comment-17295119 ] Rohit Yadav commented on CLOUDSTACK-5511: - I'll add the note on archiving/deleting in https://cwiki.apache.org/confluence/display/CLOUDSTACK/Release+Procedure > Please delete old releases from mirroring system > > > Key: CLOUDSTACK-5511 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5511 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Environment: > https://dist.apache.org/repos/dist/release/cloudstack/releases/ >Reporter: Sebb >Priority: Major > > To reduce the load on the ASF mirrors, projects are required to delete old > releases [1] > Please can you remove all non-current releases? > Thanks! > [Note that older releases are always available from the ASF archive server] > Any links to older releases on download pages should first be adjusted to > point to the archive server. > [1] http://www.apache.org/dev/release.html#when-to-archive -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-5511) Please delete old releases from mirroring system
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295116#comment-17295116 ] Rohit Yadav commented on CLOUDSTACK-5511: - [~sebb] thanks, I've removed them: https://dist.apache.org/repos/dist/release/cloudstack/releases/ > Please delete old releases from mirroring system > > > Key: CLOUDSTACK-5511 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5511 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Environment: > https://dist.apache.org/repos/dist/release/cloudstack/releases/ >Reporter: Sebb >Priority: Major > > To reduce the load on the ASF mirrors, projects are required to delete old > releases [1] > Please can you remove all non-current releases? > Thanks! > [Note that older releases are always available from the ASF archive server] > Any links to older releases on download pages should first be adjusted to > point to the archive server. > [1] http://www.apache.org/dev/release.html#when-to-archive -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-9344) KEYS file link should point to ASF mirror
[ https://issues.apache.org/jira/browse/CLOUDSTACK-9344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295115#comment-17295115 ] Rohit Yadav commented on CLOUDSTACK-9344: - I've fixed the new https link on the downloads page. > KEYS file link should point to ASF mirror > - > > Key: CLOUDSTACK-9344 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9344 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Environment: http://cloudstack.apache.org/downloads.html >Reporter: Sebb >Priority: Major > > It's good that the download page includes a link to the KEYS file along with > detaisl of how to use it. > However the link in the "Verifying Downloads" box should not be to SVN dist; > instead it should be to > https://www.apache.org/dist/cloudstack/KEYS > Also all the KEYS, PGP, MD5 and SHA links should use https rather than http > please. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17295114#comment-17295114 ] Rohit Yadav commented on CLOUDSTACK-10280: -- [~sebb] Thanks for the ticket. I've fixed the https usage and sha512 file link on the website now. Pl check and close. On MD5, I've not removed it - is the deprecation part of ASF policy, is there any email you can point me to. Also - we're not using Jira anymore, you may want to use Github in future to get community's attention: http://github.com/apache/cloudstack/issues > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
