Stefan wrote on Sat, 25 Aug 2018 15:42 +0200: > On 25/08/2018 15:21, Daniel Shahaf wrote: > > luke1...@apache.org wrote on Sat, 25 Aug 2018 12:48 +0000: > >> +++ subversion/site/staging/download.html Sat Aug 25 12:48:24 2018 > >> @@ -258,7 +258,8 @@ Other mirrors: > >> > >> <p>Alternatively, you can verify the checksums on the files. > > [preƫxisting issue] This sentence is misleading to people not well-versed > > in crypto, isn't it? > > > > PGP verification provides stronger assurances than a checksum > > verification, but this sentence makes it sound like the two methods are > > equivalent. How about changing it to, say, --- > > > > If you're unable to verify the PGP signatures, you can instead verify > > the checksums on the files. > > However, PGP signatures are superior[citation needed] to checksum, and > > we recommend to verify using PGP whenever possible. > > > > Where [citation needed] links to some not-too-technical explanation of the > > matter. > Sounds reasonable to me. Don't hesitate to adjust. ;-)
Thanks for the review. Added the text in r1839066 (without a citation).
