Olaf Flebbe created MNG-6421:
--------------------------------
Summary: Please add a signature to apache downloads
Key: MNG-6421
URL: https://issues.apache.org/jira/browse/MNG-6421
Project: Maven
Issue Type: Bug
Components: General
Reporter: Olaf Flebbe
While trying to fix maven download in the Apache Bigtop toolchain:
There seems to be no way to verify the integrity of the Maven releases at
apache and their mirrors.
Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged
for larger files from INFRA. The download links are either not secure or not on
the same trustlevel as https://www.apache.org
I would recommend to have a https:// link to a gnupg file signature (asc) which
can be downloaded from [www.apache.org/dist|http://www.apache.org/dist]
(Please see ant as an example).
Signatures should be provided for both source and binaries.
Please correct me if there is a different way to either have an secure and
trusted download or a way to automatically verify.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
