[
https://issues.apache.org/jira/browse/CLOUDSTACK-10280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243331#comment-17243331
]
Sebb commented on CLOUDSTACK-10280:
-----------------------------------
It is now mandatory to use HTTPS for KEYS, sigs and hashes.
Also the page must not link to https://dist.apache.org/; it must use
https://downloads.apache.org/cloudstack/... for KEYS, sigs and hashes
The link to
http://www.apache.org/dist/cloudstack/releases/cloudmonkey-6.1.0/apache-cloudstack-cloudmonkey-6.1.0-src.tar.bz2.sha
is broken; it should be
https://www.apache.org/dist/cloudstack/releases/cloudmonkey-6.1.0/apache-cloudstack-cloudmonkey-6.1.0-src.tar.bz2.sha512
Further, MD5 hashes are deprecated and should not be used for recent releases
> Please use HTTPS for KEYS, sigs and hashes
> ------------------------------------------
>
> Key: CLOUDSTACK-10280
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Sebb
> Priority: Critical
>
> The download page is generally fine.
> However the links to the KEYS, sigs (PGP) and hashes use http; ideally they
> should use https.
> Also the gpg command should read:
> gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc
> apache-cloudstack-X.X.X-src.tar.bz2
> i.e. both the detached sig and the artifact itself should be specified.
> See: https://www.apache.org/info/verification.html#CheckingSignatures
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
