We recommend you use a mirror to download our release builds, but you must verify the integrity of the downloaded files using signatures downloaded from our main distribution directories. Recent releases (48 hours) may not yet be available from the mirrors.
You are currently using http://apache.osuosl.org/. If you
encounter a problem with this mirror, please select another
mirror. If all mirrors are failing, there are backup
mirrors (at the end of the mirrors list) that should be
It is essential that you verify the integrity of downloaded files, preferably using the PGP signature (*.asc files); failing that using the MD5 hash (*.md5 checksum files).
The KEYS file contains the public PGP keys used by Apache Commons developers to sign releases.