Sebb created CLOUDSTACK-10280:

             Summary: Please use HTTPS for KEYS, sigs and hashes
                 Key: CLOUDSTACK-10280
             Project: CloudStack
          Issue Type: Improvement
      Security Level: Public (Anyone can view this level - this is the default.)
            Reporter: Sebb

The download page is generally fine.

However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
should use https.

Also the gpg command should read:

gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 

i.e. both the detached sig and the artifact itself should be specified.

This message was sent by Atlassian JIRA

Reply via email to