Did you read this section on the download page? "Please use the backup mirrors only to download PGP and MD5 signatures to verify your downloads <http://www.apache.org/dyn/closer.cgi#verify> or if no other mirrors are working."
checksums and other files that you download from the mirrors may not be the originals. I believe that's the concern. I suspect they don't mirror those files as a result. Scroll down on the page and you'll see the direct (non mirror) download location - i.e. from Apache directly. Also keep in mind that md5/sha1/etc... provide no security. Only validate that the xsum of the original file matches the xsum file. Only the pgp signature ensures it was truly created by the originator and unchanged thereafter. Patrick On Wed, Apr 29, 2015 at 10:49 AM, Flavio Junqueira < [email protected]> wrote: > That's weird, we definitely generate them for the RCs, and I'm quite sure > were publishing them: > http://people.apache.org/~fpj/zookeeper-3.4.6-candidate-0/ > > I'm not sure what's going, and Pat Hunt might know about it. I'll see if I > can find out more in the meanwhile. > -Flavio > > > > On Wednesday, April 29, 2015 4:13 PM, ralph tice < > [email protected]> wrote: > > > > Hi, > > I was surprised to discover that releases haven't been published with > MD5/etc signatures since 3.3.2. > > Is this an intentional change by the project or an oversight? Is there an > alternative method of verifying integrity of releases? > > Thanks, > > --Ralph > > > > >
