Closed Bug 306139 Opened 19 years ago Closed 19 years ago

list of md5sums for each file in the official mozilla releases

Categories

(Firefox Build System :: General, defect)

Product:
Firefox Build System
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: goodwill.mozilla.bugzilla, Unassigned)

Details

It would be really nice to have a list of md5sums for each of the files of the
official mozilla release installers.

That way when I want to check the integrity of my browser.jar I just md5sum
browser.jar and compare it with the officially posted one. 

example:
----------------
2bcaf4acb6bbe67df478d6288c894efc  ./components/necko.xpt
5ad3462450b3102cb9f7386d7a6da081  ./components/necko_strconv.xpt
1a497aa762459b22fa770df2ec7823c5  ./components/filepicker.xpt
51f69cdd33e3bc3ea1941aea2dba9aef  ./components/qfaservices.xpt
258af59879f22c3b73968c17f3f14c97  ./components/necko_cache.xpt
29cbe89849233b59bdb14d68a37d39d8  ./components/intl.xpt
9fd511c2a19ad498f8dd0395f15ad598  ./components/xremoteservice.xpt
fab8dbabf71ffc0824f7877b8a8be585  ./libnss3.so
8807a6b98958fd212fee88110d0ef64e  ./firefox
0330bf96a540a5342babddf83be60060  ./libplds4.so
e408d7ebe92a23b580561b00a12f98ff  ./chrome/en-US.jar
54dffcdcea320dfe531af03511805e4c  ./chrome/pippki.jar
55dc95aa084cf17351c8175b1f0aeafa  ./chrome/inspector.jar
dad84570d09530d2a6467087faf0d5c7  ./chrome/icons/default/chatzilla-window16.xpm
----------

Simple way to do it would be to run this in the compile directory.
 find . -type f -exec md5sum {} >> checksums \;
Since the installation directory is created by the installer, and possibly
different for anyone (depending on installation options), would this make any
sense ? Also note that we plan to do frequent updates with the new update
system, that destroys this completely.

Note that installer and the new update system use internal checksums.
the location of the installation directory is known by make.
Even with frequent updates the files would have specific signatures which are
assosiated with specific version/subversion. As I mentioned I am talking about
the official releases by mozilla not compilation by different distos's or such.
Also the change to the code itself is minor. It would just nice to have those
md5sums or check of integrity on installation. As we all know .jar files files
are easy to hack. 

The only additional overhead would placing the file with md5sum along the side
of the installers.

Mind you this issue have been raised concerned user on mozilla irc in the past.
(In reply to comment #2)
> the location of the installation directory is known by make.

I'm not talking about the location, I'm talking about the /contents/.
What does /content has to do with anything?
You run this in the directory that contains firefox binaries and the rest.

Please clarify.
Why is it insufficient to have a single MD5sum (or something stronger) for the
entire released tarball?
An argument has been raised before that .jar files are very easy to modify to do
harm. The easy mainly stems from it beings simply compressed and relatively easy
to understand and modify javascript and xul files. This offers a great
opportunity for virus, trojan, malware and spyware writers. Same argument does
not really apply to extension as much because they are more easily tracked down.
The signature for the installer/tarball is good for when you originally
downloaded the application.

But is not good for checking on integrety on installed files. (granted one can
tar the fiels again, but I also speak of the installer here not just the tarball)

It seems that it would be good top have signatures for each individual file in
installation. Mind I only think this should be applied to official supported
releases and not nightlies.
And do what with them? We aren't going to check checksums on every load, and
even if we did what adequate remedial action could we take? If you want to
install, take the checksum and regularly check it "out of band", that's fine,
but that doesn't need to involve our release process.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
This would be for people who want to manually insure the file integrity at any
point in time. Very much like the md5sums used for checking of the
installer/tarballs for download now.
Component: Build Config → General
Product: Firefox → Firefox Build System
You need to log in before you can comment on or make changes to this bug.