On Sun, Dec 13, 2015 at 12:37 PM, Ivan Zhakov <i...@apache.org> wrote:
> On 13 December 2015 at 21:08, Lieven Govaerts <l...@apache.org> wrote: > > Hi, > > > > the download page says: > > > > "First download the KEYS as well as the asc signature file for the > > particular distribution. Make sure you get these files from the main > > distribution directory, rather than from a mirror. " > > > > Yet the KEYS file we distribute is on people.apache.org [1] where the > > KEYS files of all other projects are. So we are not distributing the > > file from the location that we stress people to use. > > I see other Apache projects having a copy of their KEYS file in the > > dist folder where they distribute the source tarballs from. > > > > Any objections against doing the same thing? > If you mean, have the download page specify https://people.apache.org/keys/group/serf.asc, then I agree. I don't see a need to make a copy or try to maintain a KEYS file anywhere else. > The problem that tarballs are usually downloaded from mirrors (via > plain http://), so downloading KEYS while from there doesn't increase > protection from forging tarball. > It already covers that: "Make sure you get these files from the main distribution directory, rather than from a mirror. " Cheers, -g