User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: I visited https://ftp.mozilla.org/pub/firefox/releases/45.0b9/ I opened web-ftp interface for mozilla ftp server https://ftp.mozilla.org/pub/firefox/releases/45.0b9/SHA512SUMS I tried to find SHA512 hash for file: https://ftp.mozilla.org/pub/firefox/releases/45.0b9/win64-EME-free/en-US/ Firefox Setup 45.0b9.exe Actual results: I found no hash for win64-EME-free version of Firefox. Expected results: I don't think that this issue is difficult issue to solve: it seems that all required infrastructure is operational - for example there is SHA 512 for en-US win-64 version. So it should be trivial and easy? Why somebody would need that hash: just the same way like any filehash. It improves detection of inconsistencies or data tampering - be it in transition or at the server-side. (This file is an installer for god damned WINDOWS program on a client machine that will have access to Web. That means spoofing firefox installer will always be a tasty attack vector for any creep out there) I apologize if I posted this bug in a wrong "Product" branch of Bugzilla - I couldn't find specialized branch for Mozilla FTP.
Component: Untriaged → Release Automation
Product: Firefox → Release Engineering
QA Contact: bhearsum
Version: 42 Branch → unspecified
The component is fine, thanks for the report. coop, the checksums generator doesn't include the EME repacks because the .checksums files like http://archive.mozilla.org/pub/firefox/candidates/45.0-candidates/build2/win64/en-US/firefox-45.0.checksums aren't available.
Perhaps, related bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1263435
For 45.0.x it's comment #1. For 46.0b1 and later it's lack of builds (bug 1260415), and possibly also comment #1.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: FTP for releases/45.0b9/win-64-EME-free has no SHA-512 hash to verify → EME-free builds not included in SHA512SUMS file and are unverifiable
See related Bug 1268737 for firefox/releases/46.0/SHA512SUMS which is missing all checksums for win32 and win64 release builds
Rail, could you triage this ? I suspect we're not not waiting for partner builds before generating checksums, and the partner repacks scripts upload to s3 directly so don't automatically generate .checksums files.
I can look at this.
Assignee: nobody → rail
Removing the "unverifiable" part, because we publish their GPG signatures, see http://ftp.mozilla.org/pub/firefox/releases/46.0.1/linux-x86_64-EME-free/ach/
Summary: EME-free builds not included in SHA512SUMS file and are unverifiable → EME-free builds not included in SHA512SUMS file
coop, I tend to wontfix this for a couple of reasons: 1) repacks are loosely related to actual releases, they can be run after we publish the release (even though they block automation ATM). In case we separate the processes, we wouldn't want to overwrite existing files. 2) the GPG signatures are not the worst way to verify their validity ;) As an option we can teach the partner repack script to generate its own SHA512SUM file and put it into the subdirectories (per platform). What you say?
(In reply to Rail Aliiev [:rail] from comment #8) > As an option we can teach the partner repack script to generate its own > SHA512SUM file and put it into the subdirectories (per platform). > > What you say? Let's teach the repack script to generate these SUMS.
Summary: EME-free builds not included in SHA512SUMS file → Generate geparate SHA512SUMS file for EME-free repacks
Summary: Generate geparate SHA512SUMS file for EME-free repacks → Generate separate SHA512SUMS file for EME-free repacks
I'm not sure if I can look at this anytime soon, back to the pool
Assignee: rail → nobody
This is related to bug 1398803 - once this partner repacks are in TC, we should have checksums generation per graph.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1398803
You need to log in before you can comment on or make changes to this bug.