Correction; KEYS file MUST be in the distribution directory as well.

On Wed, Mar 14, 2018 at 1:48 PM, Niclas Hedhman <nic...@hedhman.org> wrote:

>
> It may be that everyone is ignoring Justin, so I thought I would provide
> the link; http://www.apache.org/dev/release-distribution.html#sigs-and
> -sums
>
> <quote>
> The names of signature and checksum files *MUST* be formed by adding to
> the name of the artifact the following suffixes:
>
> .asc for a (ASCII armored) PGP signature
> .sha1 for a SHA-1 checksum
> .sha256 for a SHA-256 checksum
> .sha512 for a SHA-512 checksum
> </quote>
>
> This is not the case for https://dist.apache.org/repos/
> dist/dev/royale/0.9.2/rc2
> <https://dist.apache.org/repos/dist/dev/royale/0.9.2/rc2/apache-royale-0.9.2-src.zip>
>
> I also can't easily find the KEYS file that MUST be published on website
> (typically on download page, otherwise in repository root).
>
>
> You WILL get a friendly correction from someone in Infra, probably Henk
> Penning, who is the long standing (for decades) security/crypto pillar of
> the foundation. It is a lot easier to simply change the file name according
> before that.
>
>
> HTH & Cheers
> Niclas
>
>
>
> On Wed, Mar 14, 2018 at 5:56 AM, Justin Mclean <jus...@classsoftware.com>
> wrote:
>
>> Hi,
>>
>> The sha files have the wrong extension, I mentioned that some time ago
>> here. [1] The extension maters due to how hashes and the mirror system
>> interact.
>>
>> They can be easily renamed to be correct (i.e.ending in .sha512 not
>> .SHA-512) and there’s no need to revote/make another RC due to this.
>>
>> Thanks,
>> Justin
>>
>> 1. https://lists.apache.org/thread.html/dbe6370c0a088be60b2f28a
>> c05819c89e4cc5b688ecbe82fc00fe73c@%3Cdev.royale.apache.org%3E
>
>
>
>
> --
> Niclas Hedhman, Software Developer
> http://polygene.apache.org - New Energy for Java
>



-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java

Reply via email to