On Jan 13, 2008 8:13 PM, Robert Burrell Donkin < [EMAIL PROTECTED]> wrote:
> On Jan 13, 2008 4:03 PM, Simon Laws <[EMAIL PROTECTED]> wrote: > > <snip> > > > Thanks for the pointer. Haven't got into the the detail of the release > > distribution documentation you refer to yet but something did catch my > eye. > > In the section on mirroring ( > > > http://incubator.apache.org/guides/releasemanagement.html#understanding-mirroring > ) > > there is a sentence... > > > > " The artifacts are downloaded from machines outside Apache control so > users > > must verify them. While the mirrored release artifacts (gzipped tar > files > > and zip jar files are the most common artifacts) must be used, the > mirrored > > checksums, KEYS and signature files (.asc and .md5 files) must *never* > be > > used. All links must refer to the original documents on www.apache.org." > > > > Can I confirm that what this is saying is that the download page, and > any > > associated mirroring scripts, that the Tuscany Incubator project > presents > > must ensure that the user links to zip/gz from a mirror and links to > > checksums, signatures etc from http://www.apache.org/dist/incubator/, > I.e. > > this sentence is about Tuscany getting it's web page right rather than > > something a user has to do explicitly. > > on the tuscany website: > * any links to artifacts must use the mirroring functions > * any links to signatures, sums and KEYS must be to the originals on > http://www.apache.org/dist/incubator/ > > any user who downloads an artifact will be obtaining a mirrored copy. > apache has no control over the contents of these mirrors and so the > user should verify the release. this can be done by checking a sum or > the signatures (which is best depends on the circumstances). > > read http://www.apache.org/dev/release-signing.html for more details > > - robert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Thanks Robert.
