+1 . While you are editing the releases.html, if its not too much, can you also make the download link more visible ? People tend to scroll down and expect a download link next to the release number. Making it clear that there are two sections might help.
On Wed, May 15, 2013 at 9:37 PM, Owen O'Malley <omal...@apache.org> wrote: > All, > The current Apache policy is to not mirror PGP signatures of releases to > the mirrors, because it provides a false sense of trust. For example, if > you look at a mirror such as http://apache.claz.org/hive/hive-0.10.0/, > you'll only see the two tarballs. If you look at the Apache site > http://www.us.apache.org/dist/hive/hive-0.10.0/, you'll see the tarballs, > md5s, and asc. > > In the same way, it doesn't seem right to put the KEYS file in a file > that is included in the mirrors. Fortunately, Apache already has a service > that builds a pgp keys file dynamically from ldap. Hive's file can be found > at: https://people.apache.org/keys/group/hive.asc > > I propose that we remove the KEYS file from our dist area and add some > text to http://hive.apache.org/releases.html that points to how to check > the signatures and checksums of the releases. We can include the old KEYS > file in the site for checking old releases. > > Thoughts? > > Thanks, > Owen >
