Issue 3623: No sha1 checksum for gerrit war files
Status:  AwaitingInformation
Owner: ----
Reported by micro...@gmail.com, Oct 20, 2015
*****************************************************************
*****                                                       *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!  *****
*****                                                       *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD,  *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
*****                                                       *****
*****   THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS     *****
*****                                                       *****
*****************************************************************

Affected Version:  Current

What steps will reproduce the problem?
1.  Download gerrit from http://gerrit-releases.storage.googleapis.com/index.html
2.  Notice there is no sha1 checksum
3.

What is the expected output? What do you see instead?

I expect to find a sha1 checksum to validate the download.  See working checksum example at https://code.google.com/p/gerrit/downloads/detail?name=gerrit-2.7-rc1.war

Please provide any additional information below.

Do you have additional means to validate your artifact has not been tampered with?  i.e. GPG signatures, checksums on a non google site, etc?
Oct 20, 2015
Project Member #1 david.pu...@sonymobile.com
For releases 2.9 and later the WAR file is also published on Maven Central:

http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22com.google.gerrit%22%20AND%20a%3A%22gerrit-war%22

There you can also see the SHA1 checksum.

For recent releases we also mention the SHA1 (and in some cases the SHA256) in the release announcement mail.

Status: AwaitingInformation
Oct 21, 2015
#2 micro...@gmail.com
Thank you David.  I will ensure that we subscribe to that mailing list to grab the checksums.  Very much appreciated!