[jira] [Created] (SVN-4736) Download page issues

Sebb (JIRA) Fri, 13 Apr 2018 07:45:24 -0700

Sebb created SVN-4736:
-------------------------

             Summary: Download page issues
                 Key: SVN-4736
                 URL: https://issues.apache.org/jira/browse/SVN-4736
             Project: Subversion
          Issue Type: Bug
         Environment: http://subversion.apache.org/download.cgi
            Reporter: Sebb



The download page has links to sigs and SHA-512 hashes. These use https, which 
is good.

However the page also contains inline SHA1 hashes. These are not necessarily 
protected by https. There are SHA1 hashes in the distribution area; it would be 
best to link to those instead.

The description for verifying hashes does not mention how to check an SHA-512 
hash.

The gpg command should read:

gpg --verify subversion-1.10.0.tar.gz.asc  subversion-1.10.0.tar.gz

i.e. both the detached sig and the artifact itself should be specified.
See: https://www.apache.org/info/verification.html#CheckingSignatures




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SVN-4736) Download page issues

Reply via email to