Hi Jeremy, I was also asked to remove those files. :) It looks like the .asc.md5 and .asc.sha1 files are produced by an interaction between the GPG plugin and the maven release plugin. I found a few Apache projects whose release instructions said the files should be deleted, so I went ahead and removed them, and corrected our scripts so they don't get uploaded in future.
Holly On Mon, Sep 17, 2012 at 3:43 PM, Jeremy Hughes <[email protected]> wrote: > It's been pointed out that we have a large number of these files in > www.apache.org/dist/aries and that they don't serve any purpose. When > I looked again at > > http://www.apache.org/dev/release-signing#check-integrity > > I realised we only need: > > <released artifact> > <released artifact>.asc > <released artifact>.md5 > <released artifact>.sha1 > > in fact we probably should have .sha512 as well but that's another > discussion. There's no need to provide hash sums of the signatures! > > So ... you can check the validity of the released artifact by > downloading from anywhere that's serving it up as long as you compare > the its hash with the hash in the hashsum file served out from > apache.org. > > Verifying the signature will go that step further by checking that the > person who created the released artifact is in the Apache web of > trust. > > So, I would like to remvoe the the superfluous .asc.md5 / .asc.sha1 > files and for us to not create them in our release process any longer. > I'll remove them in 24 hours to wait for objections, if any. > > Thanks, > Jeremy
