Closed Bug 159999 Opened 23 years ago Closed 21 years ago

Publish MD5 hashes of Mozilla binaries

Categories

(mozilla.org :: FTP: Staging, task)

Product:
mozilla.org
Component:
FTP: Staging
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: security-bugs, Assigned: endico)

References

Details

We should generate and publish MD5 hash values for each milestone release on each major platform, so that people concerned with security can verify that their copy of Mozilla has not been altered. The hash generation could of course be automated.
I do this already but the process isn't automated so recently added builds aren't always on the list, but the major platforms are. http://ftp.mozilla.org/pub/releases/mozilla1.1b/MD5SUMS
*** Bug 181811 has been marked as a duplicate of this bug. ***
MD5 and PGP signatures should be integrated into the build process. This is what Apache does for their downloads: http://httpd.apache.org/download.cgi#verify
There are no MD5SUMs for Firefox. Would be very nice to have that.
bug 247789 and bug 222261 both deal with publishing SHA1 hashes of Mozilla binaries and bug 247787 deals with ed2k link that use a special form of MD5 hash http://bittorrent.mozilla.org:6969/ .. serves Bittorrent link to the mozilla suite binaries and also display their SHA1 hash Bitcollider found here : http://bitzi.com/bitcollider/ .. can calculate hashes for bug 247789 , bug 222261 , bug 247787 and the ordinary MD5 hashes that this bug suggests
Mozilla has mirrors, so is there any mechanism currently besides TCP/IP error checking for assuring that the files copied to the mirrors aren't corrupted, or become corrupted?
MD5 checksums need to be published along with the links to downloads, like apache does. PGP signatures would also be highly appreciated. It's time to do that, millions are switching to Mozilla for security reasons.
Can anyone give a status update and a time window for this? I am actually surprised nothing has been done until now, mozilla normally is a very security concerned organisation.
Looks like we do this now. http://ftp24moz.newaol.com/pub/mozilla.org/mozilla/releases/mozilla1.8a4/MD5SUMS
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Getting the md5 sums from the same mirrored directory as the potentially-hacked binaries doesn't inspire a lot of confidence. Will help catch incidental corruption, but this bug was initially about security concerns. We need to publish these on a non-mirrored server and provide links from our site. Looks like we're starting to implement signing as well. I guess we could sign the md5sum files, too, and call it done.
Myk, will I have to open a new bug for the firefox binaries? Is this component only for mozilla-suite? Furthermore, I agree with comment 10. Why not pgp-sign either the binaries or the MD5SUM-file?
The firefox binaries have md5sums published already, whatever we do for the suite will be done for all.
Myk: Shouldn't every directory that has any binaries have MD5SUMs? Although directories like ftp://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.8a4/ have MD5SUMs, there are many that don't, such as: ftp://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/ ftp://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest-trunk/ ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/ Tobias: To clarify, I meant Mozilla project binaries, meaning anything. Firefox does have MD5SUMs, but not in every directory. Daniel: The MD5SUMs appear on ftp.mozilla.org. Is ftp.mozilla.org a mirrored server?
You need to log in before you can comment on or make changes to this bug.