#4906: some form of QA access to torrent and mirror content prior to public posting

Fedora Release Engineering rel-eng at fedoraproject.org
Tue Aug 30 01:43:52 UTC 2011 

#4906: some form of QA access to torrent and mirror content prior to public
posting
----------------------------+-----------------------------------------------
 Reporter:  robatino        |       Owner:  rel-eng at lists.fedoraproject.org
     Type:  task            |      Status:  new                            
Milestone:  Fedora 16 Beta  |   Component:  koji                           
 Keywords:                  |  
----------------------------+-----------------------------------------------
 In the last several releases, there has been a high probability that at
 least some of the Alpha and Beta torrents will have only unsigned checksum
 files (see https://fedorahosted.org/fedora-qa/ticket/237 ). No matter how
 quickly the problem is noticed, one is always told that it can't be fixed
 after public posting, since people are already downloading. Unfortunately,
 QA has no access prior to public posting to prevent it. There are
 documentation issues in releng's SOP pages that probably aggravate this
 problem (see the other ticket), but even if these are fixed, QA should
 still have a chance to check the content before it's public. A lesser
 problem is if the checksum files are signed more than once and different
 files are used on the torrents vs. mirrors (as in F15 Final). I realize
 there are possible secrecy issues regarding access to the signed files
 prior to the official release, but the mirrors are given access days in
 advance, and they almost always leak. QA might be able to set up some kind
 of AutoQA checking to minimize the amount of human access. In any case, QA
 could at least be given access to the .torrent files, to check the size of
 the checksum files. Signing adds about 1K to the size, so it would be
 possible to detect if the unsigned file was used. Having access to the
 actual signed file would be nicer, if possible, since the test could be
 both simpler and more reliable (verifying the signature itself).

-- 
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/4906>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project

More information about the rel-eng mailing list