[
https://issues.apache.org/jira/browse/GROOVY-9458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072734#comment-17072734
]
Paul King commented on GROOVY-9458:
-----------------------------------
Well, it wouldn't be those pages. They are about releases. Do you know which
document prohibits links to third-party artifacts? It would be the owner of
that document I would need to see or perhaps branding?
> Missing sigs and hashes on download page
> ----------------------------------------
>
> Key: GROOVY-9458
> URL: https://issues.apache.org/jira/browse/GROOVY-9458
> Project: Groovy
> Issue Type: Bug
> Reporter: Sebb
> Priority: Major
>
> The public download page includes links to several Windows installer
> executables.
> These have neither signatures nor hashes.
> However as per [1]
> "All supplied packages MUST be cryptographically signed by the Release
> Manager with a detached signature"
> And as per [2]
> "For every artifact distributed to the public through Apache channels, the
> PMC ... MUST supply at least one checksum file"
> Please either remove the links or provide the required sigs and hashes.
> Thanks.
> [1] http://www.apache.org/legal/release-policy.html#release-signing
> [2] https://www.apache.org/dev/release-distribution#sigs-and-sums
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
