On Mon, Jun 27, 2011 at 4:59 PM, Mattmann, Chris A (388J) <chris.a.mattm...@jpl.nasa.gov> wrote: > Yep, makes sense. Like I told Benson, I wasn't exactly sure if the mirroring > system were read only downstream of the Apache root sources (IOW, I thought > we had more control then in reality we did). > > BTW, if someone could point me to a document where this is described, that > would certainly help me refer it to others in the future.
Several projects reference the httpd document entitled "Verifying Apache HTTP Server Releases," which includes good commentary on why it's important to download the signatures directly from Apache hardware, and keys from the public keyrings. You can find it here: http://httpd.apache.org/dev/verification.html I also found several other documents about making releases and signing them, but these mostly addressed the process from a release manager's perspective, and not an end users. -Hyrum --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
