Author: crossley
Date: Sun Nov 7 03:08:02 2004
New Revision: 56840
Modified:
cocoon/site/site/mirror.html
Log:
Update the mirrors page. Encourage them to use PGP signatures and MD5 checksums.
Modified: cocoon/site/site/mirror.html
==============================================================================
--- cocoon/site/site/mirror.html (original)
+++ cocoon/site/site/mirror.html Sun Nov 7 03:08:02 2004
@@ -15,8 +15,11 @@
<h3><a name="release">Releases download:</a></h3>
<p>
- You can browse our distribution archive or download the latest Cocoon
distribution
- by clicking on one of the links provided below.
+ Browse our distribution archive or download the latest Cocoon
distribution
+ by selecting one of the links provided below.
+ It is good practice to
+ <a href="[location]#verify">verify the integrity</a>
+ of the distribution files.
</p>
<p>
<a name="binaries-note"><b>NOTE:</b></a> Starting with 2.1 we will only
release a source distribution. This
@@ -59,10 +62,14 @@
<li>
TAR/GZIP format (Unix platforms):
<a
href="[preferred]/cocoon/cocoon-2.1.5.1-src.tar.gz">cocoon-2.1.5.1-src.tar.gz</a>
+ [<a
href="http://www.apache.org/dist/cocoon/cocoon-2.1.5.1-src.tar.gz.asc";>PGP
signature</a>]
+ [<a
href="http://www.apache.org/dist/cocoon/cocoon-2.1.5.1-src.tar.gz.md5";>MD5
checksum</a>]
</li>
<li>
ZIP format (Windows platforms):
<a
href="[preferred]/cocoon/cocoon-2.1.5.1-src.zip">cocoon-2.1.5.1-src.zip</a>
+ [<a
href="http://www.apache.org/dist/cocoon/cocoon-2.1.5.1-src.zip.asc";>PGP
signature</a>]
+ [<a
href="http://www.apache.org/dist/cocoon/cocoon-2.1.5.1-src.zip.md5";>MD5
checksum</a>]
</li>
</ul>
</dt>
@@ -115,23 +122,23 @@
<li><a href="[preferred]/cocoon/events/">Material from events</a></li>
</ul>
- <h3><a name="nightly">Nightly snapshots:</a></h3>
+ <h3><a name="snapshots" /><a name="nightly">Snapshots:</a></h3>
<p>
In addition to the above mentioned release and milestone distributions,
you can
- also download the bleeding-edge code freshly extracted from our CVS
repositories:
+ also download the bleeding-edge code freshly extracted from our SVN
repositories (snapshots are generated every six hours):
</p>
<ul>
<li>
- <a href="http://cvs.apache.org/snapshots/cocoon-2.0/";>Apache Cocoon
2.0</a>
+ <a href="http://cvs.apache.org/snapshots/cocoon-2.1/";>Apache Cocoon
2.1</a>
nightly snapshots archives.
</li>
<li>
- <a href="http://cvs.apache.org/snapshots/cocoon-2.1/";>Apache Cocoon
2.1</a>
+ <a href="http://cvs.apache.org/snapshots/cocoon-2.2/";>Apache Cocoon
2.2</a>
nightly snapshots archives.
</li>
</ul>
<p>
- <b>NOTE:</b> The nightly CVS snapshots are not tested and are not
guaranteed to
+ <b>NOTE:</b> The nightly SVN snapshots are not tested and are not
guaranteed to
even build cleanly without generating errors. Download and use them if
(and only
if) you know <i>exactly</i> what you are doing.
</p>
@@ -139,7 +146,7 @@
<h3><a name="mirror">Using Apache mirrors:</a></h3>
<p>
To conserve the bandwidth of the Apache Software Foundation, and improve
- your download times, all <a href="http://cocoon.apache.org/";>Apache
+ your download times, the <a href="http://cocoon.apache.org/";>Apache
Cocoon</a> source and binary distributions have been spread across the
<a href="http://www.apache.org/mirrors/";>Apache mirrored distribution
sites</a>.
</p>
@@ -166,9 +173,52 @@
</p>
<p>
If all mirrors are failing, or you have problems downloading from them,
please
- use one of the ASF primary backup nodes from the list above, or jump
directly
- to our <a href="http://www.apache.org/dist/cocoon/";>primary distribution
site</a>.
+ use one of the ASF primary backup nodes from the list above.
</p>
+
+<h3><a name="verify" />Verify releases:</h3>
+
+<p>It is essential that you verify the integrity of the downloaded
+files using the PGP and MD5 signatures. MD5 verification ensures the
+file was not corrupted during the download process. PGP verification
+ensures that the file came from a certain person.</p>
+
+<p>The PGP signatures can be verified using
+<a href="http://www.pgpi.org/";>PGP</a> or
+<a href="http://www.gnupg.org/";>GPG</a>.
+First download the Apache Cocoon
+<a href="http://svn.apache.org/repos/asf/cocoon/trunk/KEYS";>KEYS</a>
+as well as the <code>asc</code> signature file for the particular
+distribution. It is important that you get these files from the ultimate
+trusted source - the main ASF distribution site, rather than from a mirror.
+Then verify the signatures using ...</p>
+
+<pre>
+% pgpk -a KEYS
+% pgpv cocoon-X.Y.tar.gz.asc
+
+<em>or</em>
+
+% pgp -ka KEYS
+% pgp cocoon-X.Y.tar.gz.asc
+
+<em>or</em>
+
+% gpg --import KEYS
+% gpg --verify cocoon-X.Y.tar.gz.asc
+</pre>
+
+<p>To verify the MD5 signature on the files, you need to use a program
+called <code>md5</code> or <code>md5sum</code>, which is
+included in many unix distributions. It is also available as part of
+<a href="http://www.gnu.org/software/textutils/textutils.html";>GNU
+Textutils</a>. Windows users can get binary md5 programs from <a
+href="http://www.fourmilab.ch/md5/";>here</a>, <a
+href="http://www.pc-tools.net/win32/freeware/console/";>here</a>, or
+<a href="http://www.slavasoft.com/fsum/";>here</a>.</p>
+
+<p>We strongly recommend you verify your downloads with both PGP and MD5.</p>
+
<hr />
<div align="center">
<small>
