Apache OpenOffice (AOO) Bugzilla – Issue 128096
Hashes and sigs for the current release need to come from ASF Dist server
Last modified: 2019-04-30 21:36:21 UTC
The download page currently directs to the archive server for the hashes and sigs. The links must use https://www.apache.org/dist/openoffice/, not the archive server.
You surely are referring to: https://openoffice.apache.org/downloads.html (We also have a download page at https://www.openoffice.org/) The hashes for the current release are on /dist. Only the hashes for the archived versions point to /archive. How are hashes for an archived version supposed to be on /dist?
I see now the problem is on https://www.openoffice.org/download Will have a look into it!
Even when it was agreed with Infra years ago that we can go this way, I'll have a look how it can be changed now.
@matthias: yes, I meant the download page at http://www.openoffice.org/download/index.html This links to https://www.apache.org/dist/openoffice/KEYS but https://archive.apache.org/dist/openoffice/4.1.6/binaries/... These links must be changed to point to https://www.apache.org/dist/openoffice/4.1.6/binaries/... @marcus: not sure what you mean by your comment
@sebb: I've meant it like I've written it. So, what exactly is not understandable?
"... it was agreed with Infra ..." -- what is 'it' that was agreed with Infra? == Note that I am saying that hashes and sigs for the current release(s) must be served from www.apache.org, not from archive.apache.org. [For releases that are only on the archives, of course the hashes and sigs should be served from there as well, but that is not what this issues is about.]
(In reply to sebb from comment #6) > "... it was agreed with Infra ..." -- what is 'it' that was agreed with > Infra? it = the situation like it is today: everything comes from the archive server - which is btw also a ASF system. So, the main idea behind "host the binaries whereever you want but the source + hash must come from ASF servers" is fulfilled.
I think you have misunderstood what Infra said. The archive server - archive.apache.org - is ONLY intended for downloads of older, archived releases. Current source releases must be downloaded from the ASF mirror system (*) and the associated KEYS, sigs and hashes must be downloaded from https://www.apache.org/dist/openoffice/... Since OO is so large, there are other download sites for the binaries. However the KEYS, sigs and hashes which related to the binaries must come from https://www.apache.org/dist/openoffice/...
(In reply to sebb from comment #8) > I think you have misunderstood what Infra said. Thinking and believing doesn't matter here. When you haven't participated in our discussions, then you don't know what happened. ;-) > The archive server - archive.apache.org - is ONLY intended for downloads of > older, archived releases. > > [...] Nice but also notzhing new.
I think I've changed it sucessfully, so please test on the staging server and report back before I publish the change: http://ooo-site.staging.apache.org/download/index.html Thanks
Thanks, Marcus! For me it looks good and we should submit it...
Thanks for testing and verification. PS: Status "Fixed_without_code" because no change in the OpenOffice code but only in the websites.