[
https://issues.apache.org/jira/browse/GROOVY-9458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17079633#comment-17079633
]
Sebb commented on GROOVY-9458:
------------------------------
The download page links to
https://dl.bintray.com/groovy/Distributions/groovy-3.0.2.msi.
This is a download artifact / package, and is linked from the download page so
must have a sig and a hash.
If you disagree, please raise this with Infra and/or Legal so the rules can be
clarified (if necessary).
> Missing sigs and hashes on download page
> ----------------------------------------
>
> Key: GROOVY-9458
> URL: https://issues.apache.org/jira/browse/GROOVY-9458
> Project: Groovy
> Issue Type: Bug
> Reporter: Sebb
> Priority: Major
>
> The public download page includes links to several Windows installer
> executables.
> These have neither signatures nor hashes.
> However as per [1]
> "All supplied packages MUST be cryptographically signed by the Release
> Manager with a detached signature"
> And as per [2]
> "For every artifact distributed to the public through Apache channels, the
> PMC ... MUST supply at least one checksum file"
> Please either remove the links or provide the required sigs and hashes.
> Thanks.
> [1] http://www.apache.org/legal/release-policy.html#release-signing
> [2] https://www.apache.org/dev/release-distribution#sigs-and-sums
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
