https://bz.apache.org/bugzilla/show_bug.cgi?id=55808
--- Comment #8 from Yann Ylavic <ylavic....@gmail.com> --- (In reply to fedor.brunner from comment #6) > > So the integrity of the downloaded file would be tied to the TLS security of > apache.org and SHA-1 security. The user is expected to trust TLS for the route to apache.org, apache.org from the integrity of /dist/ (where the original and its digests/signature land), and finally MD5/SHA1/PGP for the integrity of the tarball. So a tarball from any other location should still be verified against digest/signatures from apache.org/dist/, not mirror's. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
