Sebb created HELIX-421:
--------------------------
Summary: Download page: confusion over sigs and hashes
Key: HELIX-421
URL: https://issues.apache.org/jira/browse/HELIX-421
Project: Apache Helix
Issue Type: Bug
Environment: http://helix.apache.org/0.6.3-docs/download.cgi
Reporter: Sebb
The download page conflates the signature and hash files.
However these server different purposes, and it's best not to treat them as if
they were the same.
The asc file is a signature
The md5 and sha1 files are hashes
The page then says
"We strongly recommend you verify the integrity of the downloaded files with
both PGP and MD5."
The check provided by the signature (.asc) file is much stronger than the one
provided by either of the hashes. There is no point in checking both.
Have a look at http://www.apache.org/dyn/closer.cgi#verify for how to phrase
this.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
