[GitHub] [tomee-site-generator] rzo1 opened a new pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 opened a new pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox

rzo1 opened a new pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21


   # What does this PR do?
   
   - adds ASC files to release download page, adds link to KEYS file, adds download verification instructions as requrested by INFRA.
   
   # References
   - https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-2975


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rmannibucau commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox

rmannibucau commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589415574



##########
File path: src/main/jbake/content/download-ng.adoc
##########
@@ -7,12 +7,18 @@
 
 [.table.table-bordered,options="header"]
 
+== Release Integrity
+
+You **must** link:https://www.apache.org/info/verification.html[verify] the integrity of the downloaded files. We provide OpenPGP signatures  (*.asc files) for every release file. This signature should be matched against link:https://downloads.apache.org/tomee/KEYS[KEYS] file which contains the OpenPGP keys of TomEE's Release Managers. We also provide SHA-512 checksums for every release file. After you download the file, you should calculate a checksum for your download, and make sure it is the same as ours.
+
+== Download Links
+
 |===
 |Name|Version|Date|Size|Type|Links
-|TomEE plume|9.0.0-M3|25 Jan 2021|65 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512[icon:download[] SHA512]
-|TomEE plus|9.0.0-M3|25 Jan 2021|58 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plus.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plus.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plus.zip.sha512[icon:download[] SHA512]
-|TomEE webprofile|9.0.0-M3|25 Jan 2021|41 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-webprofile.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-webprofile.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-webprofile.zip.sha512[icon:download[] SHA512]
-|TomEE microprofile|9.0.0-M3|25 Jan 2021|41 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-microprofile.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-microprofile.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-microprofile.zip.sha512[icon:download[] SHA512]
+|TomEE plume|9.0.0-M3|25 Jan 2021|65 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512[icon:download[] SHA512] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.asc[icon:download[] PGP]

Review comment:
       is it a manual fix? Should go into https://github.com/apache/tomee-site-generator/blob/master/src/main/java/org/apache/tomee/website/Downloads.java#L152 probably




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589416363



##########
File path: src/main/jbake/content/download-ng.adoc
##########
@@ -7,12 +7,18 @@
 
 [.table.table-bordered,options="header"]
 
+== Release Integrity
+
+You **must** link:https://www.apache.org/info/verification.html[verify] the integrity of the downloaded files. We provide OpenPGP signatures  (*.asc files) for every release file. This signature should be matched against link:https://downloads.apache.org/tomee/KEYS[KEYS] file which contains the OpenPGP keys of TomEE's Release Managers. We also provide SHA-512 checksums for every release file. After you download the file, you should calculate a checksum for your download, and make sure it is the same as ours.
+
+== Download Links
+
 |===
 |Name|Version|Date|Size|Type|Links
-|TomEE plume|9.0.0-M3|25 Jan 2021|65 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512[icon:download[] SHA512]
-|TomEE plus|9.0.0-M3|25 Jan 2021|58 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plus.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plus.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plus.zip.sha512[icon:download[] SHA512]
-|TomEE webprofile|9.0.0-M3|25 Jan 2021|41 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-webprofile.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-webprofile.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-webprofile.zip.sha512[icon:download[] SHA512]
-|TomEE microprofile|9.0.0-M3|25 Jan 2021|41 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-microprofile.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-microprofile.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-microprofile.zip.sha512[icon:download[] SHA512]
+|TomEE plume|9.0.0-M3|25 Jan 2021|65 MB |ZIP| https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip[icon:download[] ZIP] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha256[icon:download[] SHA256] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512[icon:download[] SHA512] https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.asc[icon:download[] PGP]

Review comment:
       @rmannibucau Yes indeed. Thx for the hint. I will update the Java code as well




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-792767340


   Do we need to provide **.asc** links for the download archive as well? wdyt?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rmannibucau commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rmannibucau commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589458852



##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
                 "|" + new SimpleDateFormat("d MMM yyyy").format(Date.from(LocalDateTime.parse(d.date, RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
                 "|" + d.size + " MB " +
                 "|" + d.format.toUpperCase() +
-                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " + d.asc + "[icon:download[] PGP]");

Review comment:
       think it misses SHA512 ;) (should be computed on the fly using local artifact if present and if not downloading it in m2 - tomee has MavenResolver+HttpResolver which should enable to do that smoothly)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rmannibucau commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rmannibucau commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-792791224


   @rzo1 strictly speaking - as "by ASF requirements" - you only need to provide the source zip download link from mirrors + its hashes/asc file, all other files can be downloaded from central directly without more caution but if you put them on the mirror you must respect the same rules.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589480093



##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
                 "|" + new SimpleDateFormat("d MMM yyyy").format(Date.from(LocalDateTime.parse(d.date, RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
                 "|" + d.size + " MB " +
                 "|" + d.format.toUpperCase() +
-                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " + d.asc + "[icon:download[] PGP]");

Review comment:
       This is true (also for SHA256). Seems the page wasn't generated via `Downloads.java` for a long time.
   
   The output between `Downloads` and the currenct `download-ng.adoc` also differs:
   
   - `https://repo.maven.apache.org/maven2/org/apache/tomee/apache-tomee/...` versus `https://www.apache.org/dyn/closer.cgi/...` on the downloads-ng web page.
   
   
   




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rmannibucau commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rmannibucau commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589489277



##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
                 "|" + new SimpleDateFormat("d MMM yyyy").format(Date.from(LocalDateTime.parse(d.date, RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
                 "|" + d.size + " MB " +
                 "|" + d.format.toUpperCase() +
-                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " + d.asc + "[icon:download[] PGP]");

Review comment:
       Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work. I would keep the central links for binary since they are more reliable than mirrors generally BTW.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589498364



##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
                 "|" + new SimpleDateFormat("d MMM yyyy").format(Date.from(LocalDateTime.parse(d.date, RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
                 "|" + d.size + " MB " +
                 "|" + d.format.toUpperCase() +
-                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " + d.asc + "[icon:download[] PGP]");

Review comment:
       I think, `Downloads` generates a download page based on `repo.maven.apache.org`, which does not contain SHA256 or SHA512 files. Afaik, Maven is capable of generating SHA256 / SHA512 checksums during publishing.
   
   In general, it seems, the URL pattern was switched from `repo.maven.apache.org` to the mirror links `https://www.apache.org/dyn/closer.cgi/...` with `7.0.5 +`.
   
   > Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work.
   
   This is true. Afaik, there is no automated process of doing this atm.
   
   > Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work. I would keep the central links for binary since they are more reliable than mirrors generally BTW.
   
   There is also an open issue to reduce disk load on the ASF mirrors, which was pinged by INFRA recently: https://issues.apache.org/jira/browse/TOMEE-1096 
   
   Might be worth bringing this to the **dev@** list for further discussions?
   
   Maybe @jgallimore , @jeanouii or @cesarhernandezgt also have some thoughts on it?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589498364



##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
                 "|" + new SimpleDateFormat("d MMM yyyy").format(Date.from(LocalDateTime.parse(d.date, RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
                 "|" + d.size + " MB " +
                 "|" + d.format.toUpperCase() +
-                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " + d.asc + "[icon:download[] PGP]");

Review comment:
       I think, `Downloads` generates a download page based on `repo.maven.apache.org`, which does not contain SHA256 or SHA512 files. Afaik, Maven is capable of generating SHA256 / SHA512 checksums during publishing.
   
   In general, it seems, the URL pattern was switched from `repo.maven.apache.org` to the mirror links `https://www.apache.org/dyn/closer.cgi/...` with `7.0.5 +`.
   
   > Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work.
   
   This is true. Afaik, there is no automated process of doing this atm.
   
   > Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work. I would keep the central links for binary since they are more reliable than mirrors generally BTW.
   
   There is also an open issue to reduce disk load on the ASF mirrors, which was pinged by INFRA recently: https://issues.apache.org/jira/browse/TOMEE-1096 
   
   Might be worth bringing this to the **dev@** list for further discussions?
   
   Maybe @jgallimore , @jeanouii or @cesarhernandezgt also have some thoughts on it?
   
   
   EDIT-1:
   
   A short term fix could be to "manually" adjust the `.adoc` files (as proposed in this PR), long-term fix could be to move the discussion "mirrors vs central" for binaries to the `dev@...`list, get a decision on the general procdere and perhaps adjust `Downloads` accordingly.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on a change in pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on a change in pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#discussion_r589498364



##########
File path: src/main/java/org/apache/tomee/website/Downloads.java
##########
@@ -149,7 +149,7 @@ private static void printRow(Download d) {
                 "|" + new SimpleDateFormat("d MMM yyyy").format(Date.from(LocalDateTime.parse(d.date, RFC_1123_DATE_TIME).toInstant(ZoneOffset.UTC))) +
                 "|" + d.size + " MB " +
                 "|" + d.format.toUpperCase() +
-                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5]");
+                "| " + d.url + "[icon:download[] " + d.format.toUpperCase() + "] " + d.sha1 + "[icon:download[] SHA1] " + d.md5 + "[icon:download[] MD5] " + d.asc + "[icon:download[] PGP]");

Review comment:
       I think, `Downloads` generates a download page based on `repo.maven.apache.org`, which does not contain SHA256 or SHA512 files. Afaik, Maven is capable of generating SHA256 / SHA512 checksums during publishing.
   
   In general, it seems, the URL pattern was switched from `repo.maven.apache.org` to the mirror links `https://www.apache.org/dyn/closer.cgi/...` with `7.0.5 +`.
   
   > Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work.
   
   This is true. Afaik, there is no automated process of doing this atm.
   
   > Yep sadly which means the content became no more validated and potentially erroneous since I assume nothing checks the links work. I would keep the central links for binary since they are more reliable than mirrors generally BTW.
   
   There is also an open issue to reduce disk load on the ASF mirrors, which was pinged by INFRA recently: https://issues.apache.org/jira/browse/TOMEE-1096 
   
   Might be worth bringing this to the **dev@** list for further discussions?
   
   Maybe @jgallimore , @jeanouii or @cesarhernandezgt also have some thoughts on it?
   
   
   EDIT-1:
   
   A short term fix could be to "manually" adjust the `.adoc` files (as proposed in this PR), long-term fix could be to move the discussion "mirrors vs central" for binaries to the **dev@** list, get a decision on the general procdere and perhaps adjust `Downloads` accordingly.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-805569951


   I will merge it now (to fix it short term) - as the links are "manually" validated. The discussion related to mirrors vs central is now on the mailing list [1]. I will raise attention to this thread again (seems to be lost in space) - hopefully, we can get an automated process of generating it, again.
   
   Seems it would be required to upgrade the ASF parent pom to a newer version to produce newer SHA signatures.
   
   # Refs
   
   [1] http://mail-archives.apache.org/mod_mbox/tomee-dev/202103.mbox/%3C64f56282b078f80f813c37c5c6c81c36f186fcd3.camel%40apache.org%3E


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 merged pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 merged pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21


   


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] sebbASF commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

sebbASF commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806009958


   The download page "Links" column is getting a bit messy; it would be easier to use if there were 2 separate columns for the sigs and hashes (SHA256 + 512).
   
   Also the Zip link could be moved to the "Type" column, i.e. turn the ZIP text into a link.


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806020740


   > The download page "Links" column is getting a bit messy; it would be easier to use if there were 2 separate columns for the sigs and hashes (SHA256 + 512).
   >
   > Also the Zip link could be moved to the "Type" column, i.e. turn the ZIP text into a link.
   
   @sebbASF: You think of sth like:
   
   ![image](https://user-images.githubusercontent.com/13417392/112356406-dfc03780-8cce-11eb-9ee3-6aa6c37450e3.png)
   
   I agree, that this would be "easier" to use. I will open a PR and get some other opinions.


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rmannibucau commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rmannibucau commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806024035


   If it helps: Name and Type/Download columns can be merged, no point to have "ZIP" or "TAR GZ" text alone, so I would merge the download link with the name ("[icon] TomEE Plume Zip"). In terms of signatues and hashes, no need to have sha256 and sha512, only one if enough or if preferred we can have a dropdown in the column and just show a default one + an ellipsis to show others. Adjusting the column width (on version and size columns at least) will also make more width for sig/hashs and name columns which should solve it properly too.


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806034405


   I think, we first need to switch back to an automated way of generating this page again :smile: - too many hard structural changes would lead to some error prone CnP party.
   
   Maybe something like:
   
   |  Name  | Version | Date | Size | Signatures & Hashes
   | ------------- | ------------- | ------------- | ------------- |------------- |
   | [:floppy_disk: TomEE plume ZIP](https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip)  |9.0.0-M3|25 Jan 2021|65 MB | [:floppy_disk: PGP](https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.asc) [:floppy_disk: SHA512](https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512)  |
   
   :floppy_disk: as the AsciiDoc download icon is not available on GitHub


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] sebbASF commented on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

sebbASF commented on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806038039


   N.B. closer.cgi cannot be used for PGP or SHA files


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 edited a comment on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 edited a comment on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806034405


   I think, we first need to switch back to an automated way of generating this page again :smile: - too many hard structural changes would lead to some error prone CnP party.
   
   Maybe something like:
   
   |  Name  | Version | Date | Size | Signatures & Hashes
   | ------------- | ------------- | ------------- | ------------- |------------- |
   | [:floppy_disk: TomEE plume ZIP](https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip)  |9.0.0-M3|25 Jan 2021|65 MB | [:floppy_disk: PGP](https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.asc) [:floppy_disk: SHA512](https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512)  |
   
   :floppy_disk: as the AsciiDoc download icon is not available on GitHub


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]


Reply | Threaded
Open this post in threaded view
|

[GitHub] [tomee-site-generator] rzo1 edited a comment on pull request #21: TOMEE-2975 - Download page must provide sigs for all release artifacts

GitBox
In reply to this post by GitBox

rzo1 edited a comment on pull request #21:
URL: https://github.com/apache/tomee-site-generator/pull/21#issuecomment-806034405


   I think, we first need to switch back to an automated way of generating this page again :smile: - too many hard structural changes would lead to some error prone CnP party.
   
   Maybe something like:
   
   |  Name  | Version | Date | Size | Signatures & Hashes
   | ------------- | ------------- | ------------- | ------------- |------------- |
   | [:floppy_disk: TomEE plume ZIP](https://www.apache.org/dyn/closer.cgi/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip)  |9.0.0-M3|25 Jan 2021|65 MB | [:floppy_disk: PGP](https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.asc) [:floppy_disk: SHA512](https://www.apache.org/dist/tomee/tomee-9.0.0-M3/apache-tomee-9.0.0-M3-plume.zip.sha512)  |
   
   :floppy_disk: as the AsciiDoc download icon is not available on GitHub
   
   EDIT-1: Fixed CnP error in this example. PGP / Hashes shouldn't use closer.cgi


--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]