My first thought was 'I want to have all the stuff inside the distro.' That means also the ASC. But having the ASC inside the distro means letting the key on the lock ...
So the 2nd thought was: how to verify the download? - download - hashvalue checksum - pgp check We could provide a howto file in the distro, but we also could provide a build snippet for automating that. a) provide the snippet via website and define an Ant property which artifact to get b) provide the snippet inside the distro and will only do the two checks (getting the checksums directly from the ASF server) Jan > -----Ursprüngliche Nachricht----- > Von: Stefan Bodewig [mailto:bode...@apache.org] > Gesendet: Mittwoch, 14. Juni 2017 09:17 > An: dev@ant.apache.org > Betreff: Re: [VOTE] Release Compress Antlib 1.5 based on RC3 > > On 2017-06-13, Jan Matèrne (jhm) wrote: > > >> Should we include the PGP [e.g. 1] signature in the future? > > > Answer myself: should be only on ASF server, so people could trust > > that ;) Maybe place a note (next time) how to check that (do we have > a > > build snippet for that?) > > I'm not exactly sure what you mean. > > Should I have included the PGP signature of any of the artifacts inside > of the vote email? > > The vote email I've sent may have been a bit terse and I'm happy to > improve on it. > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional > commands, e-mail: dev-h...@ant.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
