https://issues.apache.org/bugzilla/show_bug.cgi?id=47173
--- Comment #5 from Glenn Adams <[email protected]> 2012-04-11 02:38:25 UTC --- (In reply to comment #4) > (In reply to comment #3) > > my apologies, i posted the wrong link; if you follow link [2] in the link I > > did > > post [1]: > > > > [1] http://xmlgraphics.apache.org/commons/download.html > > > > Source ("-src") and binary ("-bin") distributions can be downloaded from a > > Apache XML Graphics Commons Distribution Mirror [2]. > > > > [2] http://www.apache.org/dyn/closer.cgi/xmlgraphics/commons > > > > you will land at a page that (1) lists download mirrors and (2) contains a > > section "Verify the integrity of the files" > > OK > > > if you pick a download mirror, say [3], then you will find binaries [4] and > > source [5] directories containing signatures and hashes, and also a file > > containing keys [6] > > [3] is *not a mirror* ok, it's the main distribution site > An example mirror site is [3a]. The corresponding binaries [4a] and source > [5a] > pages don't include hashes. > > There is a KEYS file at [6a] but [1] says to download KEYS from the ASF. > > [3a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/ > [4a] > http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/binaries > [5a] > http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/source > [6a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/KEYS we have no control over mirror site configuration > > [3] http://www.apache.org/dist/xmlgraphics/commons > > [4] http://www.apache.org/dist/xmlgraphics/commons/binaries/ > > [5] http://www.apache.org/dist/xmlgraphics/commons/source/ > > [6] http://www.apache.org/dist/xmlgraphics/commons/KEYS > > > > there does not need to be any more information provided in [1] the reason is > > clear: [1] doesn't actually make direct reference to any downloadable > > binary or > > source images > > Note that [1] says > > "The PGP signatures can be verified using PGP or GPG. First download the KEYS > as well as the asc signature file for the relevant distribution. Make sure you > get these files from the main distribution site, rather than from a mirror." > > This is not at all easy to do with the current download page. sorry, it doesn't have to be easy; your original comment claimed "sigs and hashes are a requirement for all apache projects"; i pointed you at the main distribution site where sigs and hashes are provided; that satisfies you claim... full stop > Have a look at how other TLPs do it. if you would like to propose a patch for the current download page [1], i'll take a look at it; otherwise, i don't intend to take any other action; i will leave this open for a week more in case you wish to post a patch; if not received by then, this bug will be closed thanks for you input -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
