[
https://issues.apache.org/jira/browse/TOMEE-2975?focusedWorklogId=562407&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-562407
]
ASF GitHub Bot logged work on TOMEE-2975:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 08/Mar/21 15:14
Start Date: 08/Mar/21 15:14
Worklog Time Spent: 10m
Work Description: rzo1 commented on a change in pull request #21:
URL:
https://github.com/apache/tomee-site-generator/pull/21#discussion_r589498364
##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
"|" + new SimpleDateFormat("d MMM
yyyy").format(Date.from(LocalDateTime.parse(d.date,
RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
"|" + d.size + " MB " +
"|" + d.format.toUpperCase() +
- "| " + d.url + "[icon:download[] " + d.format.toUpperCase() +
"] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+ "| " + d.url + "[icon:download[] " + d.format.toUpperCase() +
"] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " +
d.asc + "[icon:download[] PGP]");
Review comment:
I think, `Downloads` generates a download page based on
`repo.maven.apache.org`, which does not contain SHA256 or SHA512 files. Afaik,
Maven is capable of generating SHA256 / SHA512 checksums during publishing.
In general, it seems, the URL pattern was switched from
`repo.maven.apache.org` to the mirror links
`https://www.apache.org/dyn/closer.cgi/...` with `7.0.5 +`.
> Yep sadly which means the content became no more validated and potentially
erroneous since I assume nothing checks the links work.
This is true. Afaik, there is no automated process of doing this atm.
> Yep sadly which means the content became no more validated and potentially
erroneous since I assume nothing checks the links work. I would keep the
central links for binary since they are more reliable than mirrors generally
BTW.
There is also an open issue to reduce disk load on the ASF mirrors, which
was pinged by INFRA recently: https://issues.apache.org/jira/browse/TOMEE-1096
Might be worth bringing this to the **dev@** list for further discussions?
Maybe @jgallimore , @jeanouii or @cesarhernandezgt also have some thoughts
on it?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 562407)
Time Spent: 1.5h (was: 1h 20m)
> Download page must provide sigs for all release artifacts
> ---------------------------------------------------------
>
> Key: TOMEE-2975
> URL: https://issues.apache.org/jira/browse/TOMEE-2975
> Project: TomEE
> Issue Type: Bug
> Environment: http://tomee.apache.org/download-ng.html
> Reporter: Sebb
> Assignee: Richard Zowalla
> Priority: Major
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> None of the releases on the download page have signature files (.asc).
> These are required:
> [https://infra.apache.org/release-distribution#sigs-and-sums]
> The asc files are present on the download site, they just need to be linked
> from the page.
> Also there must be a link to the KEYS file, as well as download verification
> instructions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
