[
https://issues.apache.org/jira/browse/ZOOKEEPER-2292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14957073#comment-14957073
]
Elias Levy commented on ZOOKEEPER-2292:
---------------------------------------
Chris, Thanks for pointing out the signature at the main Apache site. Given
that, then this issue should morph into documenting the availability of the
signature in the Apache ZooKeeper Releases page, as otherwise there is no
indication this signature exists anywhere on the web site that I could find.
> Sign the download package
> -------------------------
>
> Key: ZOOKEEPER-2292
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2292
> Project: ZooKeeper
> Issue Type: Improvement
> Components: build
> Reporter: Elias Levy
>
> Current ZK is made available for download as a compressed archive. Within
> the archive, there is a cryptographic signature for the ZK JAR file. Alas,
> the signature does not cover any of the other executable components that ZK
> depends on, such as JARs in the lib directory or the scripts in the bin
> directory. These could be tampered with.
> The whole download package should be signed and the signature made available
> along with it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
