[Fedora QA] #237: tests to verify that torrents and mirrors contain signed checksum files

Fedora QA trac at fedorahosted.org
Thu Aug 25 21:31:34 UTC 2011

#237: tests to verify that torrents and mirrors contain signed checksum files
 Reporter:  robatino  |       Owner:     
     Type:  task      |      Status:  new
 Priority:  major     |   Milestone:     
Component:  Wiki      |     Version:     
 Keywords:            |  
 In many of the last several releases (11, 13, 14, and now 16), at least
 some of the Alpha or Beta torrents contain only unsigned checksum files.
 This would be easy to prevent by examining the .torrent files, which
 contain file sizes (signing a checksum file adds about 1K to the size).
 Unfortunately, at present these are not made available for testing prior
 to being posted on http://torrent.fedoraproject.org , and when the problem
 is pointed out, no matter how quickly, one is told that the torrent can't
 be replaced since people are already downloading it. This makes it
 important to catch the problem in advance.

 Many (but not all) of the torrent files for the last several releases are
 still available at http://torrent.fedoraproject.org/torrents/ and
 http://torrent.fedoraproject.org/spins/ , and can be examined for example
 with gtorrentviewer. I have not checked any older than 11, and not all the
 ones after that are available, so the above list of affected releases is
 probably incomplete.

 A less serious issue is when the checksum files get signed more than once.
 For example, the checksum files for F15 Final install discs were signed
 twice, first for the torrents and again for the mirrors - see
 http://robatino.fedorapeople.org/checksums/15-Final/Fedora/ . The
 checksums are identical, and both signatures are valid, but still, it
 shouldn't happen.

 Looking at
 https://fedoraproject.org/wiki/Release_Engineering_Release_Tickets , it
 says that for Alpha and Beta, the torrents should be staged before the
 mirrors, but the reverse for Final. I've asked why on #fedora-releng but
 gotten no response yet. It says nothing about signing the checksum files,
 though the linked page
 https://fedoraproject.org/wiki/Stage_final_release_for_mirrors (under the
 section "Final") mentions it. This may explain why Alpha and Beta torrents
 are much less likely to have signed files. If possible, it would be nice
 for the order (torrents vs. mirrors) to be the same for all three, and in
 any case, the checksum files should be signed once and then used for both
 torrents and mirrors. None of this is currently documented.

Ticket URL: <https://fedorahosted.org/fedora-qa/ticket/237>
Fedora QA <http://fedorahosted.org/fedora-qa>
Fedora Quality Assurance

More information about the test mailing list