Hi, the download page says:
"First download the KEYS as well as the asc signature file for the particular distribution. Make sure you get these files from the main distribution directory, rather than from a mirror. " Yet the KEYS file we distribute is on people.apache.org [1] where the KEYS files of all other projects are. So we are not distributing the file from the location that we stress people to use. I see other Apache projects having a copy of their KEYS file in the dist folder where they distribute the source tarballs from. Any objections against doing the same thing? Lieven [1] https://people.apache.org/keys/group