sebbASF commented on code in PR #112: URL: https://github.com/apache/incubator-fury-site/pull/112#discussion_r1576531497
########## docs/download.md: ########## @@ -0,0 +1,79 @@ +--- +id: download +title: Apache Fury(incubating) Download +--- + +The official Apache Fury releases are provided as source artifacts. + +For binary install, please see Fury [install](/docs/start/install/) document. + +## The latest release + +Apache Fury (Incubating) hasn't made a release since joining the Apache Incubator. + +## All archived releases + +Apache Fury (Incubating) hasn't made a release since joining the Apache Incubator. + +## Verify a release + +It's highly recommended to verify the files that you download. + +Fury provides SHA digest and PGP signature files for all the files that we host on the download site. +These files are named after the files they relate to but have `.sha512/.asc` extensions. + +### Verifying Checksums + +To verify the SHA digests, you need the .tgz and its associated .tgz.sha512 file. An example command: + +```bash +for i in *.tar.gz; do echo $i; sha512sum --check $i.sha512; done Review Comment: It is not a good idea to check all the tar.gz files in a directory. There may be some very large ones, and if there are several it is going to be harder to determine if the correct one is OK. Also it only works for hosts that support bash or similar. Far better to show the actual command to be used, e.g. sha512sum --check apache-fury-incubating-0.5.0-src.tar.gz ########## docs/download.md: ########## @@ -0,0 +1,79 @@ +--- +id: download +title: Apache Fury(incubating) Download +--- + +The official Apache Fury releases are provided as source artifacts. + +For binary install, please see Fury [install](/docs/start/install/) document. + +## The latest release + +Apache Fury (Incubating) hasn't made a release since joining the Apache Incubator. + +## All archived releases + +Apache Fury (Incubating) hasn't made a release since joining the Apache Incubator. + +## Verify a release + +It's highly recommended to verify the files that you download. + +Fury provides SHA digest and PGP signature files for all the files that we host on the download site. +These files are named after the files they relate to but have `.sha512/.asc` extensions. + +### Verifying Checksums + +To verify the SHA digests, you need the .tgz and its associated .tgz.sha512 file. An example command: + +```bash +for i in *.tar.gz; do echo $i; sha512sum --check $i.sha512; done +``` + +It should output something like: + +```bash +apache-fury-incubating-0.5.0-src.tar.gz +apache-fury-incubating-0.5.0-src.tar.gz: OK +``` + +### Verifying Signatures + +To verify the PGP signatures, you will need to download and import the +[release KEYS](https://downloads.apache.org/incubator/fury/KEYS): + +```bash +curl https://downloads.apache.org/incubator/fury/KEYS >KEYS # Download KEYS +gpg --import KEYS # Import KEYS to local +# Then, trust the public key +``` + +Then you can verify signature: +```bash +for i in *.tar.gz; do echo $i; gpg --verify $i.asc $i; done +``` Review Comment: Again, don't rely on bash and don't rely on the directory containing only the correct download file. It would be very easy to be accidentally run the command in the wrong directory and be fooled by the output. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
