sebbASF commented on issue #986: Bug: Download page must include KEYS, sig and hashes URL: https://github.com/apache/incubator-pulsar/issues/986#issuecomment-358999412 As I wrote previously: "KEYS, sigs and hashes must be linked from www.apache.org/dist/... and should use https." Only KEYS currently links to www.apache.org/dist/incubator/pulsar and it does not use https. The links to the sigs and hashes currently don't work at all as such files are not mirrored. The older releases section links to the correct host. However the hashes and sigs should use https. The page should also mention the need to check releases against the sig or failing that a hash. For example, see how Tomcat does it: https://tomcat.apache.org/download-90.cgi#Release_Integrity
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
