Open Bug 1661068 Opened 4 years ago Updated 1 years ago

Figure out a way to handle checksums and attribution on archive.m.o

Categories

(Release Engineering :: Release Automation: Other, enhancement)

Product:
Release Engineering
Component:
Release Automation: Other
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: mkaply, Unassigned)

References

Details

Currently we provide checksums for the builds on archive.m.o

Those checksums are only valid for builds on the actual site.

If you download a build via https://www.mozilla.org/en-US/firefox/new/, because the build is marked with our attribution, the checksum from the website isn't valid.

Adding checksums for all attributed files seems unlikely, so maybe we can add a readme or something like that? Or get rid of checksums? A contributor suggested this:

=====

These checksums correspond only to the builds in these directories.

Builds that are downloaded from other locations are different, include
attributions such as [[include an example here of the purpose of an
attribution]], and do not have checksums.

The proper way to verify Mozilla builds is to verify their digital
signatures, which can be accomplished in your file manager and in
dedicated signature verification applications.

For more details: [[Include a link here to a relevant Mozilla web page
if one exists.]]

=====

The filename could be something like "Checksum notice.txt".

The proposed approach seems valid to me. What's your opinion on adding such a notice file, :bhearsum?

Depends on: 1814727, 1816992
Flags: needinfo?(bhearsum)
Severity: -- → N/A
Type: task → enhancement

I don't see any downside!

Flags: needinfo?(bhearsum)
You need to log in before you can comment on or make changes to this bug.