[
https://issues.apache.org/jira/browse/AMQ-8357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401668#comment-17401668
]
Sebb commented on AMQ-8357:
---------------------------
Also, gpg verify should specify the second parameter:
https://www.apache.org/info/verification.html#specify_both
It looks like the page no longer mentions MD5, however it does not mention how
to verify a download using a SHA hash either.
> Download page for 5.16.3 refers to MD5; must not link to Git
> ------------------------------------------------------------
>
> Key: AMQ-8357
> URL: https://issues.apache.org/jira/browse/AMQ-8357
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Sebb
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> The download page [1] refers several times to MD5. Such hashes are
> deprecated, and are not actually used by AMQ any more.
> Please update the instructions so that they can be used by downloaders.
> Also Git repos must not be linked from download pages, as they contain code
> that has not been formally released.
> Note also that MD5 is not a signature (nor are SHA*) - they are hashes.
> The PGP asc file is a signature.
> [1] https://activemq.apache.org/activemq-5016003-release
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
