There is no link on the download page for people to easily get the MD5/SHA hashes from the main distribution directory on www.apache.org. Sigs and hashes are a requirement for all Apache projects.
http://www.apache.org/dist/xmlgraphics/commons/binaries/
The download page: http://xmlgraphics.apache.org/commons/download.html does not have any links to the sig or hashes, nor any link to the KEYS or how to use the sigs/hashes.
my apologies, i posted the wrong link; if you follow link [2] in the link I did post [1]: [1] http://xmlgraphics.apache.org/commons/download.html Source ("-src") and binary ("-bin") distributions can be downloaded from a Apache XML Graphics Commons Distribution Mirror [2]. [2] http://www.apache.org/dyn/closer.cgi/xmlgraphics/commons you will land at a page that (1) lists download mirrors and (2) contains a section "Verify the integrity of the files" if you pick a download mirror, say [3], then you will find binaries [4] and source [5] directories containing signatures and hashes, and also a file containing keys [6] [3] http://www.apache.org/dist/xmlgraphics/commons [4] http://www.apache.org/dist/xmlgraphics/commons/binaries/ [5] http://www.apache.org/dist/xmlgraphics/commons/source/ [6] http://www.apache.org/dist/xmlgraphics/commons/KEYS there does not need to be any more information provided in [1] the reason is clear: [1] doesn't actually make direct reference to any downloadable binary or source images
(In reply to comment #3) > my apologies, i posted the wrong link; if you follow link [2] in the link I did > post [1]: > > [1] http://xmlgraphics.apache.org/commons/download.html > > Source ("-src") and binary ("-bin") distributions can be downloaded from a > Apache XML Graphics Commons Distribution Mirror [2]. > > [2] http://www.apache.org/dyn/closer.cgi/xmlgraphics/commons > > you will land at a page that (1) lists download mirrors and (2) contains a > section "Verify the integrity of the files" OK > if you pick a download mirror, say [3], then you will find binaries [4] and > source [5] directories containing signatures and hashes, and also a file > containing keys [6] [3] is *not a mirror* An example mirror site is [3a]. The corresponding binaries [4a] and source [5a] pages don't include hashes. There is a KEYS file at [6a] but [1] says to download KEYS from the ASF. [3a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/ [4a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/binaries [5a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/source [6a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/KEYS > [3] http://www.apache.org/dist/xmlgraphics/commons > [4] http://www.apache.org/dist/xmlgraphics/commons/binaries/ > [5] http://www.apache.org/dist/xmlgraphics/commons/source/ > [6] http://www.apache.org/dist/xmlgraphics/commons/KEYS > > there does not need to be any more information provided in [1] the reason is > clear: [1] doesn't actually make direct reference to any downloadable binary or > source images Note that [1] says "The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the asc signature file for the relevant distribution. Make sure you get these files from the main distribution site, rather than from a mirror." This is not at all easy to do with the current download page. Have a look at how other TLPs do it.
(In reply to comment #4) > (In reply to comment #3) > > my apologies, i posted the wrong link; if you follow link [2] in the link I did > > post [1]: > > > > [1] http://xmlgraphics.apache.org/commons/download.html > > > > Source ("-src") and binary ("-bin") distributions can be downloaded from a > > Apache XML Graphics Commons Distribution Mirror [2]. > > > > [2] http://www.apache.org/dyn/closer.cgi/xmlgraphics/commons > > > > you will land at a page that (1) lists download mirrors and (2) contains a > > section "Verify the integrity of the files" > > OK > > > if you pick a download mirror, say [3], then you will find binaries [4] and > > source [5] directories containing signatures and hashes, and also a file > > containing keys [6] > > [3] is *not a mirror* ok, it's the main distribution site > An example mirror site is [3a]. The corresponding binaries [4a] and source [5a] > pages don't include hashes. > > There is a KEYS file at [6a] but [1] says to download KEYS from the ASF. > > [3a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/ > [4a] > http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/binaries > [5a] > http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/source > [6a] http://mirrors.ukfast.co.uk/sites/ftp.apache.org/xmlgraphics/commons/KEYS we have no control over mirror site configuration > > [3] http://www.apache.org/dist/xmlgraphics/commons > > [4] http://www.apache.org/dist/xmlgraphics/commons/binaries/ > > [5] http://www.apache.org/dist/xmlgraphics/commons/source/ > > [6] http://www.apache.org/dist/xmlgraphics/commons/KEYS > > > > there does not need to be any more information provided in [1] the reason is > > clear: [1] doesn't actually make direct reference to any downloadable binary or > > source images > > Note that [1] says > > "The PGP signatures can be verified using PGP or GPG. First download the KEYS > as well as the asc signature file for the relevant distribution. Make sure you > get these files from the main distribution site, rather than from a mirror." > > This is not at all easy to do with the current download page. sorry, it doesn't have to be easy; your original comment claimed "sigs and hashes are a requirement for all apache projects"; i pointed you at the main distribution site where sigs and hashes are provided; that satisfies you claim... full stop > Have a look at how other TLPs do it. if you would like to propose a patch for the current download page [1], i'll take a look at it; otherwise, i don't intend to take any other action; i will leave this open for a week more in case you wish to post a patch; if not received by then, this bug will be closed thanks for you input