Fixed in CALCITE-2577
On 20/09/2018 9:42 AM, Julian Hyde wrote:
Can you please change those URLs to use https?
On Sep 19, 2018, at 4:37 PM, [email protected] wrote:
Repository: calcite
Updated Branches:
refs/heads/master d262c860a -> d3b02ae2c
[CALCITE-2574] Update download page to include instructions for verifying
a downloaded artifact
Project: http://git-wip-us.apache.org/repos/asf/calcite/repo
Commit: http://git-wip-us.apache.org/repos/asf/calcite/commit/d3b02ae2
Tree: http://git-wip-us.apache.org/repos/asf/calcite/tree/d3b02ae2
Diff: http://git-wip-us.apache.org/repos/asf/calcite/diff/d3b02ae2
Branch: refs/heads/master
Commit: d3b02ae2cb9dce786270d6657b8e758ce3aa55f1
Parents: d262c86
Author: Francis Chuang <[email protected]>
Authored: Thu Sep 20 09:37:09 2018 +1000
Committer: Francis Chuang <[email protected]>
Committed: Thu Sep 20 09:37:09 2018 +1000
----------------------------------------------------------------------
site/downloads/index.md | 38 +++++++++++++++++++++++++++++++-------
1 file changed, 31 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/calcite/blob/d3b02ae2/site/downloads/index.md
----------------------------------------------------------------------
diff --git a/site/downloads/index.md b/site/downloads/index.md
index 4770e44..0d00c41 100644
--- a/site/downloads/index.md
+++ b/site/downloads/index.md
@@ -70,16 +70,11 @@ Release | Date | Commit | Download
{% endcomment %}
{% endfor %}
-Choose a source distribution in either *tar* or *zip* format,
-and [verify](http://www.apache.org/dyn/closer.cgi#verify)
-using the corresponding *pgp* signature (using the committer file in
-[KEYS](http://www.apache.org/dist/calcite/KEYS)).
-If you cannot do that, use the *digest* file
-to check that the download has completed OK.
+Choose a source distribution in either *tar* or *zip* format.
For fast downloads, current source distributions are hosted on mirror servers;
older source distributions are in the
-[archive](http://archive.apache.org/dist/calcite/)
+[archive](http://archive.apache.org/dist/calcite/)
or [incubator archive](http://archive.apache.org/dist/incubator/calcite/).
If a download from a mirror fails, retry, and the second download will likely
succeed.
@@ -87,6 +82,35 @@ succeed.
For security, hash and signature files are always hosted at
[Apache](https://www.apache.org/dist).
+# Verify the integrity of the files
+
+You must verify the integrity of the downloaded file using the PGP signature
(.asc file) or a hash (.sha256, .md5 for older
+releases). For more information why this must be done, please read [Verifying
Apache Software Foundation
Releases](https://www.apache.org/info/verification.html).
+
+To verify the signature using GPG or PGP, please do the following:
+
+1. Download the release artifact and the corresponding PGP signature from the
table above.
+2. Download the [Apache Calcite KEYS](http://www.apache.org/dist/calcite/KEYS)
file.
+3. Import the KEYS file and verify the downloaded artifact using one of the
following methods:
+{% highlight shell %}
+% gpg --import KEYS
+% gpg --verify downloaded_file.asc downloaded_file
+{% endhighlight %}
+
+or
+
+{% highlight shell %}
+% pgpk -a KEYS
+% pgpv downloaded_file.asc
+{% endhighlight %}
+
+or
+
+{% highlight shell %}
+% pgp -ka KEYS
+% pgp downloaded_file.asc
+{% endhighlight %}
+
# Maven artifacts
Add the following to the dependencies section of your `pom.xml` file:
