Ticket #237 (reopened task)
tests to verify that torrents and mirrors contain signed checksum files
|Reported by:||robatino||Owned by:|
In many of the last several releases (11, 13, 14, and now 16), at least some of the Alpha or Beta torrents contain only unsigned checksum files. This would be easy to prevent by examining the .torrent files, which contain file sizes (signing a checksum file adds about 1K to the size). Unfortunately, at present these are not made available for testing prior to being posted on http://torrent.fedoraproject.org , and when the problem is pointed out, no matter how quickly, one is told that the torrent can't be replaced since people are already downloading it. This makes it important to catch the problem in advance.
Many (but not all) of the torrent files for the last several releases are still available at http://torrent.fedoraproject.org/torrents/ and http://torrent.fedoraproject.org/spins/ , and can be examined for example with gtorrentviewer. I have not checked any older than 11, and not all the ones after that are available, so the above list of affected releases is probably incomplete.
A less serious issue is when the checksum files get signed more than once. For example, the checksum files for F15 Final install discs were signed twice, first for the torrents and again for the mirrors - see http://robatino.fedorapeople.org/checksums/15-Final/Fedora/ . The checksums are identical, and both signatures are valid, but still, it shouldn't happen.
Looking at https://fedoraproject.org/wiki/Release_Engineering_Release_Tickets , it says that for Alpha and Beta, the torrents should be staged before the mirrors, but the reverse for Final. I've asked why on #fedora-releng but gotten no response yet. It says nothing about signing the checksum files, though the linked page https://fedoraproject.org/wiki/Stage_final_release_for_mirrors (under the section "Final") mentions it. This may explain why Alpha and Beta torrents are much less likely to have signed files. If possible, it would be nice for the order (torrents vs. mirrors) to be the same for all three, and in any case, the checksum files should be signed once and then used for both torrents and mirrors. None of this is currently documented.
- Status changed from new to closed
- Resolution set to invalid