[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295406#comment-17295406 ] Rohit Yadav commented on CLOUDSTACK-10280: -- PR proposed to fix this - https://github.com/apache/cloudstack/pull/4751/files > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295395#comment-17295395 ] Rohit Yadav commented on CLOUDSTACK-10280: -- [~sebb] Alright, I've removed MD5 links from the website but not since the policy says we don't need to remove for existing releases. For all future releases, I'll remove from our build/publishing scripts to avoid doing md5 checksums. > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295224#comment-17295224 ] Sebb commented on CLOUDSTACK-10280: --- Yes, MD5 deprecation is part of policy https://infra.apache.org/release-distribution#sigs-and-sums As to using GitHub instead of JIRA, please ask INFRA to make JIRA read-only > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295114#comment-17295114 ] Rohit Yadav commented on CLOUDSTACK-10280: -- [~sebb] Thanks for the ticket. I've fixed the https usage and sha512 file link on the website now. Pl check and close. On MD5, I've not removed it - is the deprecation part of ASF policy, is there any email you can point me to. Also - we're not using Jira anymore, you may want to use Github in future to get community's attention: http://github.com/apache/cloudstack/issues > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17294657#comment-17294657 ] Sebb commented on CLOUDSTACK-10280: --- PING - please now fix the page to use HTTPS for KEYS, sigs and hashes. Also, remove references to MD5 > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes
[ https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243331#comment-17243331 ] Sebb commented on CLOUDSTACK-10280: --- It is now mandatory to use HTTPS for KEYS, sigs and hashes. Also the page must not link to https://dist.apache.org/; it must use https://downloads.apache.org/cloudstack/... for KEYS, sigs and hashes The link to http://www.apache.org/dist/cloudstack/releases/cloudmonkey-6.1.0/apache-cloudstack-cloudmonkey-6.1.0-src.tar.bz2.sha is broken; it should be https://www.apache.org/dist/cloudstack/releases/cloudmonkey-6.1.0/apache-cloudstack-cloudmonkey-6.1.0-src.tar.bz2.sha512 Further, MD5 hashes are deprecated and should not be used for recent releases > Please use HTTPS for KEYS, sigs and hashes > -- > > Key: CLOUDSTACK-10280 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) >Reporter: Sebb >Priority: Critical > > The download page is generally fine. > However the links to the KEYS, sigs (PGP) and hashes use http; ideally they > should use https. > Also the gpg command should read: > gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc > apache-cloudstack-X.X.X-src.tar.bz2 > i.e. both the detached sig and the artifact itself should be specified. > See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian Jira (v8.3.4#803005)