[
https://issues.apache.org/jira/browse/MNG-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497214#comment-16497214
]
Olaf Flebbe edited comment on MNG-6421 at 5/31/18 9:33 PM:
-----------------------------------------------------------
Thanks for fixing the site! Now everything works as expected.
Nope, hey what is going on? maven.apache.org/download.html is behaving weird.
was (Author: oflebbe):
Thanks for fixing the site! Now everything works as expected.
> Please add a signature to apache downloads
> ------------------------------------------
>
> Key: MNG-6421
> URL: https://issues.apache.org/jira/browse/MNG-6421
> Project: Maven
> Issue Type: Bug
> Components: General
> Reporter: Olaf Flebbe
> Priority: Major
>
> While trying to fix maven download in the Apache Bigtop toolchain:
> There seems to be no way to verify the integrity of the Maven releases at
> apache and their mirrors.
> Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged
> for larger files from INFRA. The download links are either not secure or not
> on the same trustlevel as https://www.apache.org
> I would recommend to have a https:// link to a gnupg file signature (asc)
> which can be downloaded from
> [www.apache.org/dist|http://www.apache.org/dist] (Please see ant as an
> example).
> Signatures should be provided for both source and binaries.
> Please correct me if there is a different way to either have an secure and
> trusted download or a way to automatically verify.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
