It's been pointed out that we have a large number of these files in www.apache.org/dist/aries and that they don't serve any purpose. When I looked again at
http://www.apache.org/dev/release-signing#check-integrity I realised we only need: <released artifact> <released artifact>.asc <released artifact>.md5 <released artifact>.sha1 in fact we probably should have .sha512 as well but that's another discussion. There's no need to provide hash sums of the signatures! So ... you can check the validity of the released artifact by downloading from anywhere that's serving it up as long as you compare the its hash with the hash in the hashsum file served out from apache.org. Verifying the signature will go that step further by checking that the person who created the released artifact is in the Apache web of trust. So, I would like to remvoe the the superfluous .asc.md5 / .asc.sha1 files and for us to not create them in our release process any longer. I'll remove them in 24 hours to wait for objections, if any. Thanks, Jeremy
