Re: [Jython-dev] Jython 2.7.2 final

[Adam B. <ada...@gm...>]

Thanks Eero. Sorry this flew under the radar earlier.

I guess the intent on the download page is all that information is
available using the "metadata" link, eg

Jython Installer
<https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar>
-
Use this to install Jython. (metadata
<https://search.maven.org/artifact/org.python/jython-installer/2.7.2/jar>)

Do you think that's too obscure, or introduces some security risk? I note
the CPython download page links to the .asc sig file for their downloads
too.

Cheers
Adam


On Sun, 5 Apr 2020 at 23:17, Eero Aaltonen <eer...@ik...> wrote:

> Thank you for your hard work on making the release!
>
> The obvious place to download the release
> https://www.jython.org/download.html
>
> Currently does not have obvious instructions for verifying the download.
> Everything required for that however seems to be in place:
> * https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/
> .asc signatures
> *
> https://jython-devguide.readthedocs.io/en/latest/release_jy.html#publication
> releases (Jeff's) public key on the keyserver.
>
> In case you wish to add verification instructions to the download page, I
> make a sketch while doing that myself
>
>
> ## Download release and signature
>
> Download files
>
> * `jython-installer-2.7.2.jar`
> * `jython-installer-2.7.2.jar.asc` from example
> https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/
>
> ## Identify Signing Key
>
> `gpg --verify jython-installer-2.7.2.jar.asc jython-installer-2.7.2.jar`
>
> ## Search and Import Key
>
> `gpg --keyserver hkp://pool.sks-keyservers.net --search-keys
> C8C4B9DC1E031F788B12882B875C3EF9DC4638E3`
>
> ## Verify
>
> Run the verification command again
>
> `gpg --verify jython-installer-2.7.2.jar.asc jython-installer-2.7.2.jar`
> _______________________________________________
> Jython-dev mailing list
> Jyt...@li...
> https://lists.sourceforge.net/lists/listinfo/jython-dev
>