Hello sebb, ok I can amend my changes to add this. I will wait a day to see if more issues come up.
I was trying to be brief as we have the validation page explaining all, but it might be good to be a bit verbose here. Gruss Bernd Am Mon, 29 Dec 2014 20:51:21 +0000 schrieb sebb <seb...@gmail.com>: > On 29 December 2014 at 20:13, Bernd Eckenfels > <e...@zusammenkunft.net> wrote: > > Am Mon, 29 Dec 2014 20:01:29 +0000 > > schrieb sebb <seb...@gmail.com>: > > > >> On 29 December 2014 at 19:48, Bernd Eckenfels > >> <e...@zusammenkunft.net> wrote: > >> > The download page of apache commons reads like there is supposed > >> > to be a KEYS column in the table. But it is now a general link, > >> > so I would apply the following changes, if you agree: > >> > >> I think the reference to the KEYS file needs to come before the > >> hashes. We want to encourage sig checking as the primary way to > >> check downloads. > >> > >> But I agree that the text needs some TLC. > > > > Cool, how is this: > > > > <p> > > Please <a > > href="http://www.apache.org/info/verification.html";>verify the > > integrity</a> of downloaded files against the public code signing > > <a href="http://www.apache.org/dist/commons/KEYS";>KEYS</a> used by > > the Apache Commons developers. </p> > > <p> > > The <code>pgp</code> link downloads the OpenPGP compatible > > signature from our main site. The <code>md5</code> link downloads > > the checksum from the main site. </p> > > > > Better, but the verification is not actually against the KEYS file. > How about: > > <p> > It is essential that you <a > href="http://www.apache.org/info/verification.html";>verify the > integrity</a> > of downloaded files, preferabley using the <code>PGP</code> > signature; failing that using the <code>MD5</code> hash. > <p> > </p> > The <a href="http://www.apache.org/dist/commons/KEYS";>KEYS</a> > file contains the public keys > used by Apache Commons developers to sign releases. > It is used in conjunction with the <code>PGP</code> signature > for the download > </p> > <p> > The <code>PGP</code> link downloads the OpenPGP compatible > signature from our main site. > The <code>MD5</code> link downloads the checksum from our > main site. </p> > > > I'm sure this could be improved further. > > The generated links should probably also upcased to PGP and MD5 so > they stand out better. > > > Gruss > > Bernd > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
