...

Verifying Releases

When downloading from a mirror it is recommended to verify the integrity of the downloads. This should preferably be done by verifying the OpenPGP compatible signature available from the main Apache site. The KEYS file contains the public keys used for signing the release. It is recommended that a web of trust is used to confirm the identity of these keys.

...

Previous releases are all archived in the Apache archive: http https://archive.apache.org/dist/cxf/fediz

Maven 2 Repositories

If you use Maven for building your applications, all supported Fediz releases are synced into the maven central repository: http://repo1.maven.org/maven2/

...