<h2><a name="mirrors">Download from your
<a href="">nearest mirror site!</a></a></h2>

Do not download from
Please use a <a href="">nearby mirror site</a>
to help us save bandwidth.

<h2><a name="sig">PGP/GPG Signatures</a></h2>

All of the release distribution packages have been digitally
signed (using PGP or GPG) by the ASF committers that constructed
There will be an accompanying
<tt><var>distribution</var>.asc</tt> file in the same directory
as the distribution.
The PGP/GPG keys can be found at the MIT key
repository and within this project's KEYS file at
<a href=""><samp></samp></a>

<pre>Always use the signature to validate package authenticity, <i>e.g.</i>,
$ pgpk -a KEYS
$ pgpv <var>commons-logging-1.2-bin.tar.gz</var>.asc
$ pgp -ka KEYS
$ pgp <var>commons-logging-1.2-bin.tar.gz</var>.asc
$ gpg --import KEYS
$ gpg --verify <var>commons-logging-1.2-bin.tar.gz</var>.asc <var>commons-logging-1.2-bin.tar.gz</var>

See also <a href="">Verifying Apache Software Foundation Releases</a>
We also offer MD5/SHA hashes as an alternative to validate the
integrity of the downloaded files. See the
<tt><var>distribution</var>.md5/.sha1</tt> files.
Note that such hashes are only useful as a check that the file has been downloaded OK.
They do not provide any guarantee that the downloaded file is authentic.