#237: tests to verify that torrents and mirrors contain signed checksum files
----------------------+-----------------------------------------------------
Reporter: robatino | Owner:
Type: task | Status: new
Priority: major | Milestone:
Component: Wiki | Version:
Keywords: |
----------------------+-----------------------------------------------------
In many of the last several releases (11, 13, 14, and now 16), at least
some of the Alpha or Beta torrents contain only unsigned checksum files.
This would be easy to prevent by examining the .torrent files, which
contain file sizes (signing a checksum file adds about 1K to the size).
Unfortunately, at present these are not made available for testing prior
to being posted on
http://torrent.fedoraproject.org , and when the problem
is pointed out, no matter how quickly, one is told that the torrent can't
be replaced since people are already downloading it. This makes it
important to catch the problem in advance.
Many (but not all) of the torrent files for the last several releases are
still available at
http://torrent.fedoraproject.org/torrents/ and
http://torrent.fedoraproject.org/spins/ , and can be examined for example
with gtorrentviewer. I have not checked any older than 11, and not all the
ones after that are available, so the above list of affected releases is
probably incomplete.
A less serious issue is when the checksum files get signed more than once.
For example, the checksum files for F15 Final install discs were signed
twice, first for the torrents and again for the mirrors - see
http://robatino.fedorapeople.org/checksums/15-Final/Fedora/ . The
checksums are identical, and both signatures are valid, but still, it
shouldn't happen.
Looking at
https://fedoraproject.org/wiki/Release_Engineering_Release_Tickets , it
says that for Alpha and Beta, the torrents should be staged before the
mirrors, but the reverse for Final. I've asked why on #fedora-releng but
gotten no response yet. It says nothing about signing the checksum files,
though the linked page
https://fedoraproject.org/wiki/Stage_final_release_for_mirrors (under the
section "Final") mentions it. This may explain why Alpha and Beta torrents
are much less likely to have signed files. If possible, it would be nice
for the order (torrents vs. mirrors) to be the same for all three, and in
any case, the checksum files should be signed once and then used for both
torrents and mirrors. None of this is currently documented.
--
Ticket URL: <
https://fedorahosted.org/fedora-qa/ticket/237>
Fedora QA <
http://fedorahosted.org/fedora-qa>
Fedora Quality Assurance