On 25/08/2018 15:21, Daniel Shahaf wrote: > luke1...@apache.org wrote on Sat, 25 Aug 2018 12:48 +0000: >> +++ subversion/site/staging/download.html Sat Aug 25 12:48:24 2018 >> @@ -258,7 +258,8 @@ Other mirrors: >> >> <p>Alternatively, you can verify the checksums on the files. > [preƫxisting issue] This sentence is misleading to people not well-versed > in crypto, isn't it? > > PGP verification provides stronger assurances than a checksum > verification, but this sentence makes it sound like the two methods are > equivalent. How about changing it to, say, --- > > If you're unable to verify the PGP signatures, you can instead verify the > checksums on the files. > However, PGP signatures are superior[citation needed] to checksum, and we > recommend to verify using PGP whenever possible. > > Where [citation needed] links to some not-too-technical explanation of the > matter. Sounds reasonable to me. Don't hesitate to adjust. ;-)
> >> A unix program called <code>sha512sum</code> >> - is included in many unix distributions.</p> >> + is included in many unix distributions.<br /> >> + On Windows you can use the certutil command line tool, for instance.</p> > Perhaps add the specific --option flags here? Or at least use <code/> > tags to get the monospaced font. Added more specific usage sample for cerutils (incl. the missing <code>-tags) in r1839052. Regards, Stefan
