[
https://issues.apache.org/jira/browse/MNG-6421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497170#comment-16497170
]
Olaf Flebbe commented on MNG-6421:
----------------------------------
hi [~michael-o] :
Thanks for suggesting to look in central. I found it in
[http://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.5.3/]
I am using maven and central for years, how can someone guess this ?
Since there are gpg signatures an sha256 files: Wouldn't it makes sense to link
these file from the website and add an paragraph to educate users to actually
use it ?
> Please add a signature to apache downloads
> ------------------------------------------
>
> Key: MNG-6421
> URL: https://issues.apache.org/jira/browse/MNG-6421
> Project: Maven
> Issue Type: Bug
> Components: General
> Reporter: Olaf Flebbe
> Priority: Major
>
> While trying to fix maven download in the Apache Bigtop toolchain:
> There seems to be no way to verify the integrity of the Maven releases at
> apache and their mirrors.
> Download from [www.apache.org/dist|http://www.apache.org/dist] is discouraged
> for larger files from INFRA. The download links are either not secure or not
> on the same trustlevel as https://www.apache.org
> I would recommend to have a https:// link to a gnupg file signature (asc)
> which can be downloaded from
> [www.apache.org/dist|http://www.apache.org/dist] (Please see ant as an
> example).
> Signatures should be provided for both source and binaries.
> Please correct me if there is a different way to either have an secure and
> trusted download or a way to automatically verify.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
