All, The current Apache policy is to not mirror PGP signatures of releases to the mirrors, because it provides a false sense of trust. For example, if you look at a mirror such as http://apache.claz.org/hive/hive-0.10.0/, you'll only see the two tarballs. If you look at the Apache site http://www.us.apache.org/dist/hive/hive-0.10.0/, you'll see the tarballs, md5s, and asc.
In the same way, it doesn't seem right to put the KEYS file in a file that is included in the mirrors. Fortunately, Apache already has a service that builds a pgp keys file dynamically from ldap. Hive's file can be found at: https://people.apache.org/keys/group/hive.asc I propose that we remove the KEYS file from our dist area and add some text to http://hive.apache.org/releases.html that points to how to check the signatures and checksums of the releases. We can include the old KEYS file in the site for checking old releases. Thoughts? Thanks, Owen
