[
https://issues.apache.org/jira/browse/SYNCOPE-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16529620#comment-16529620
]
ASF subversion and git services commented on SYNCOPE-1330:
----------------------------------------------------------
Commit c09def901e2eef9dfe6cd598c3c561c839814f42 in syncope's branch
refs/heads/master from [~ilgrosso]
[ https://git-wip-us.apache.org/repos/asf?p=syncope.git;h=c09def9 ]
[SYNCOPE-1330] Any MD5 reference removed from downloads page; MD5 generation
removed from release process; signature and hash verification adjusted (using
CXF as template)
> MD5 should no longer be provided on download pages
> --------------------------------------------------
>
> Key: SYNCOPE-1330
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1330
> Project: Syncope
> Issue Type: Bug
> Environment: http://syncope.apache.org/downloads.html
> Reporter: Sebb
> Assignee: Francesco Chicchiriccò
> Priority: Major
>
> The use of MD5 hashes on download pages was deprecated recently
> https://www.apache.org/dev/release-distribution#sigs-and-sums
> MD5 hashes should no longer be generated or linked from the download page.
> [They are only OK for historic releases that don't have other hashes]
> Also there is no point asking users to check both the signature and the hash.
> The signature should be checked; if that is not possible, check the hash.
> Further, the GPG example needs to include the file name as well, e.g.
> gpg --verify syncope-*.zip.asc syncope-*.zip
> [However using "*" to represent the variable part of a file name is not ideal]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
