[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes

2021-03-04 Thread Rohit Yadav (Jira)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295406#comment-17295406
 ] 

Rohit Yadav commented on CLOUDSTACK-10280:
--

PR proposed to fix this - https://github.com/apache/cloudstack/pull/4751/files

> Please use HTTPS for KEYS, sigs and hashes
> --
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sebb
>Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes

2021-03-04 Thread Rohit Yadav (Jira)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295395#comment-17295395
 ] 

Rohit Yadav commented on CLOUDSTACK-10280:
--

[~sebb]  Alright, I've removed MD5 links from the website but not since the 
policy says we don't need to remove for existing releases. For all future 
releases, I'll remove from our build/publishing scripts to avoid doing md5 
checksums.

> Please use HTTPS for KEYS, sigs and hashes
> --
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sebb
>Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes

2021-03-04 Thread Sebb (Jira)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295224#comment-17295224
 ] 

Sebb commented on CLOUDSTACK-10280:
---

Yes, MD5 deprecation is part of policy

https://infra.apache.org/release-distribution#sigs-and-sums

As to using GitHub instead of JIRA, please ask INFRA to make JIRA read-only

> Please use HTTPS for KEYS, sigs and hashes
> --
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sebb
>Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes

2021-03-04 Thread Rohit Yadav (Jira)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295114#comment-17295114
 ] 

Rohit Yadav commented on CLOUDSTACK-10280:
--

[~sebb] Thanks for the ticket. I've fixed the https usage and sha512 file link 
on the website now. Pl check and close. On MD5, I've not removed it - is the 
deprecation part of ASF policy, is there any email you can point me to.

Also - we're not using Jira anymore, you may want to use Github in future to 
get community's attention: http://github.com/apache/cloudstack/issues

> Please use HTTPS for KEYS, sigs and hashes
> --
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sebb
>Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes

2021-03-03 Thread Sebb (Jira)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17294657#comment-17294657
 ] 

Sebb commented on CLOUDSTACK-10280:
---

PING - please now fix the page to use HTTPS for KEYS, sigs and hashes.

Also, remove references to MD5

> Please use HTTPS for KEYS, sigs and hashes
> --
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sebb
>Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs and hashes

2020-12-03 Thread Sebb (Jira)


[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243331#comment-17243331
 ] 

Sebb commented on CLOUDSTACK-10280:
---

It is now mandatory to use HTTPS for KEYS, sigs and hashes.

Also the page must not link to https://dist.apache.org/; it must use 
https://downloads.apache.org/cloudstack/... for KEYS, sigs and hashes

The link to 
http://www.apache.org/dist/cloudstack/releases/cloudmonkey-6.1.0/apache-cloudstack-cloudmonkey-6.1.0-src.tar.bz2.sha
is broken; it should be
https://www.apache.org/dist/cloudstack/releases/cloudmonkey-6.1.0/apache-cloudstack-cloudmonkey-6.1.0-src.tar.bz2.sha512

Further, MD5 hashes are deprecated and should not be used for recent releases

> Please use HTTPS for KEYS, sigs and hashes
> --
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
>  Issue Type: Bug
>  Security Level: Public(Anyone can view this level - this is the 
> default.) 
>Reporter: Sebb
>Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they 
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc 
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures



--
This message was sent by Atlassian Jira
(v8.3.4#803005)