ARROW-3013: [Website] Fix download links on website for tarballs, checksums #2613
Conversation
|
As a policy we have to provide the GPG verification files. We should look into what's going wrong |
|
@wesm I guess it's up to the apache dist system. We upload the files to https://dist.apache.org/repos/dist/release/arrow/arrow-0.10.0/ where the signatures are present. Under the mirrors the backup sites have the exact same files, e.g: http://www-eu.apache.org/dist/arrow/arrow-0.10.0/ Signatures are not downloadable from the HTTP and FTP mirrors, e.g.:
You could take a look at spanish mirrors though. |
|
Take a look at another Apache project: https://hadoop.apache.org/releases.html. It looks like they are using the dist system for signatures instead of mirrors. Can you change the sigs to that? |
| mirrors-tar: 'https://www.apache.org/dyn/closer.cgi/arrow/arrow-0.10.0/apache-arrow-0.10.0.tar.gz' | ||
| java-artifacts: 'http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.apache.arrow%22%20AND%20v%3A%220.10.0%22' | ||
| asc: 'https://www.apache.org/dist/arrow/arrow-0.10.0/apache-arrow-0.10.0.tar.gz.asc' | ||
| sha256: 'https://www.apache.org/dist/arrow/arrow-0.10.0/apache-arrow-0.10.0.tar.gz.sha256' |
There was a problem hiding this comment.
Signature and checksum link are pointing to apache dist.
|
As a side note: It is policy that signatures should not be mirrored always be pulled from dist. All other things that are available through the mirror system should also be then pulled/linked through the mirror system and not through dist. dist servers are always official ASF-hosted servers. |
|
Makes sense. Mirroring checksums or sigs would be a security hazard as it would open up MITM attacks |
3 participants
I'm not sure why the signatures are missing from:
Perhaps signatures are not supposed to be distributed with
dynmirroring.The new links will point to sha256 and sha512 signatures per ASF policy, see recent change #2584