Menu
▾
▴
Re: [Jython-dev] Jython 2.7.2 final
|
From: Adam B. <ada...@gm...> - 2020-05-22 03:21:07
|
Ok - PR here: https://github.com/jython/jython.github.io/pull/19 Adam On Sun, 3 May 2020 at 03:52, Eero Aaltonen <eer...@ik...> wrote: > Hi Adam, > > The bazel.build includes an SHA1 checksum, which can be used for limited > verification. It is still however hosted on the same server infrastructure. > > Providing the users the means to verify the installer against the PGP > public key of someone doing the release is less vulnerable to malicious > actors (*assuming the* * developers who perform a release keep their > private key.. private).* > > So in a nutshell, the PGP verification is more resilient security wise. > > Cheers, > Eero > > On Sat, May 2, 2020 at 3:14 PM Adam Burke <ada...@gm...> wrote: > >> Thanks Eero. Sorry this flew under the radar earlier. >> >> I guess the intent on the download page is all that information is >> available using the "metadata" link, eg >> >> Jython Installer >> <https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar> - >> Use this to install Jython. (metadata >> <https://search.maven.org/artifact/org.python/jython-installer/2.7.2/jar> >> ) >> >> Do you think that's too obscure, or introduces some security risk? I note >> the CPython download page links to the .asc sig file for their downloads >> too. >> >> Cheers >> Adam >> >> >> On Sun, 5 Apr 2020 at 23:17, Eero Aaltonen <eer...@ik...> wrote: >> >>> Thank you for your hard work on making the release! >>> >>> The obvious place to download the release >>> https://www.jython.org/download.html >>> >>> Currently does not have obvious instructions for verifying the download. >>> Everything required for that however seems to be in place: >>> * https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/ >>> .asc signatures >>> * >>> https://jython-devguide.readthedocs.io/en/latest/release_jy.html#publication >>> releases (Jeff's) public key on the keyserver. >>> >>> In case you wish to add verification instructions to the download page, >>> I make a sketch while doing that myself >>> >>> >>> ## Download release and signature >>> >>> Download files >>> >>> * `jython-installer-2.7.2.jar` >>> * `jython-installer-2.7.2.jar.asc` from example >>> https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/ >>> >>> ## Identify Signing Key >>> >>> `gpg --verify jython-installer-2.7.2.jar.asc jython-installer-2.7.2.jar` >>> >>> ## Search and Import Key >>> >>> `gpg --keyserver hkp://pool.sks-keyservers.net --search-keys >>> C8C4B9DC1E031F788B12882B875C3EF9DC4638E3` >>> >>> ## Verify >>> >>> Run the verification command again >>> >>> `gpg --verify jython-installer-2.7.2.jar.asc jython-installer-2.7.2.jar` >>> _______________________________________________ >>> Jython-dev mailing list >>> Jyt...@li... >>> https://lists.sourceforge.net/lists/listinfo/jython-dev >>> >> |
