Page MenuHomePhabricator

Missing GPG signatures for MW updates
Closed, ResolvedPublic

Description

The 2015-12-21 link on the main page of mediawiki.org under news for maintenance updates (https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000187.html) points to a mailing list post which includes links to versions and corresponding GPG signatures. However, the links in that post that point to the .sig files for the full updates are all misnamed, and hence broken. Testing one of them, it seems like the "tar" suffix was dropped; for example,

https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.5.gz.sig

should be

https://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.5.tar.gz.sig

Event Timeline

Copy+paste fails on my part. Mea culpa...

Since it's a mailing list though there's not much we can do after the fact...

Still, it would be nice to fix the links as referenced by mediawiki.org somehow... no one noticed for over a month admittedly, so doing nothing is an option, but security of software images is of increasing importance and a broken link to the information critical to verifying the most current images reduces credibility. Maybe an updated mailing list message and relinking it, or a special notice in the website..? If human error is a possibility then surely some process exists (or should exist) to make corrections.

can a redirect or symlink be put in place?

can a redirect or symlink be put in place?

Yeah we could do that...

Put some symlinks in place.