1253926 - Generate separate SHA512SUMS file for EME-free repacks

Status: RESOLVED DUPLICATE of bug 1398803

(Release Engineering :: Release Automation, defect, P5)

Description

[joan_sparrow]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

I visited
https://ftp.mozilla.org/pub/firefox/releases/45.0b9/

I opened web-ftp interface for mozilla ftp server
https://ftp.mozilla.org/pub/firefox/releases/45.0b9/SHA512SUMS

I tried to find SHA512 hash for file:
https://ftp.mozilla.org/pub/firefox/releases/45.0b9/win64-EME-free/en-US/ 	Firefox Setup 45.0b9.exe


Actual results:

I found no hash for win64-EME-free version of Firefox.


Expected results:

I don't think that this issue is difficult issue to solve: it seems that all required infrastructure is operational - for example there is SHA 512 for en-US win-64 version. So it should be trivial and easy?

Why somebody would need that hash: just the same way like any filehash. It improves detection of inconsistencies or data tampering - be it in transition or at the server-side.

(This file is an installer for god damned WINDOWS program on a client machine that will have access to Web. That means spoofing firefox installer will always be a tasty attack vector for any creep out there)

I apologize if I posted this bug in a wrong "Product" branch of Bugzilla - I couldn't find specialized branch for Mozilla FTP.

Comment 1

[Nick Thomas [:nthomas] (UTC+12)]

The component is fine, thanks for the report. 

coop, the checksums generator doesn't include the EME repacks because the .checksums files like 
  http://archive.mozilla.org/pub/firefox/candidates/45.0-candidates/build2/win64/en-US/firefox-45.0.checksums
aren't available.

Comment 2

[joan_sparrow]

Perhaps, related bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1263435

Comment 3

[Nick Thomas [:nthomas] (UTC+12)]

For 45.0.x it's comment #1. For 46.0b1 and later it's lack of builds (bug 1260415), and possibly also comment #1.

Comment 4

[Steven Baker]

See related Bug 1268737 for firefox/releases/46.0/SHA512SUMS which is missing all checksums for win32 and win64 release builds

Comment 5

[Nick Thomas [:nthomas] (UTC+12)]

Rail, could you triage this ?  I suspect we're not not waiting for partner builds before generating checksums, and the partner repacks scripts upload to s3 directly so don't automatically generate .checksums files.

Comment 6

[Rail Aliiev [:rail]]

I can look at this.

Comment 7

[Rail Aliiev [:rail]]

Removing the "unverifiable" part, because we publish their GPG signatures, see http://ftp.mozilla.org/pub/firefox/releases/46.0.1/linux-x86_64-EME-free/ach/

Comment 8

[Rail Aliiev [:rail]]

coop, I tend to wontfix this for a couple of reasons:

1) repacks are loosely related to actual releases, they can be run after we publish the release (even though they block automation ATM). In case we separate the processes, we wouldn't want to overwrite existing files.

2) the GPG signatures are not the worst way to verify their validity ;)

As an option we can teach the partner repack script to generate its own SHA512SUM file and put it into the subdirectories (per platform).

What you say?

Comment 9

[Chris Cooper [:coop] (he/him)]

(In reply to Rail Aliiev [:rail] from comment #8)
> As an option we can teach the partner repack script to generate its own
> SHA512SUM file and put it into the subdirectories (per platform).
> 
> What you say?

Let's teach the repack script to generate these SUMS.

Comment 10

[Rail Aliiev [:rail]]

WFM!

Comment 11

[Rail Aliiev [:rail]]

I'm not sure if I can look at this anytime soon, back to the pool

Comment 13

[Aki Sasaki (not active)]

This is related to bug 1398803 - once this partner repacks are in TC, we should have checksums generation per graph.