Hi,

the download page says:

"First download the KEYS as well as the asc signature file for the
particular distribution. Make sure you get these files from the main
distribution directory, rather than from a mirror. "

Yet the KEYS file we distribute is on people.apache.org [1] where the
KEYS files of all other projects are. So we are not distributing the
file from the location that we stress people to use.
I see other Apache projects having a copy of their KEYS file in the
dist folder where they distribute the source tarballs from.

Any objections against doing the same thing?

Lieven

[1] https://people.apache.org/keys/group

Reply via email to