On Jan 13, 2008 4:03 PM, Simon Laws <[EMAIL PROTECTED]> wrote: <snip>
> Thanks for the pointer. Haven't got into the the detail of the release > distribution documentation you refer to yet but something did catch my eye. > In the section on mirroring ( > http://incubator.apache.org/guides/releasemanagement.html#understanding-mirroring) > there is a sentence... > > " The artifacts are downloaded from machines outside Apache control so users > must verify them. While the mirrored release artifacts (gzipped tar files > and zip jar files are the most common artifacts) must be used, the mirrored > checksums, KEYS and signature files (.asc and .md5 files) must *never* be > used. All links must refer to the original documents on www.apache.org." > > Can I confirm that what this is saying is that the download page, and any > associated mirroring scripts, that the Tuscany Incubator project presents > must ensure that the user links to zip/gz from a mirror and links to > checksums, signatures etc from http://www.apache.org/dist/incubator/, I.e. > this sentence is about Tuscany getting it's web page right rather than > something a user has to do explicitly. on the tuscany website: * any links to artifacts must use the mirroring functions * any links to signatures, sums and KEYS must be to the originals on http://www.apache.org/dist/incubator/ any user who downloads an artifact will be obtaining a mirrored copy. apache has no control over the contents of these mirrors and so the user should verify the release. this can be done by checking a sum or the signatures (which is best depends on the circumstances). read http://www.apache.org/dev/release-signing.html for more details - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
