push to mirrors should verify that nothing has changed since the virus scan / permissions check

RESOLVED FIXED

Status

P5
normal
RESOLVED FIXED
8 years ago
2 years ago

People

(Reporter: bhearsum, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [automation][releases])

Recently we started running the permissions check and virus scan well ahead of pushing to mirrors. This is great for getting those things out of the critical path but it leaves us vulnerable to attack if someone modifies files between those checks and pushing to mirrors. We should verify that nothing changes between those checks and pushing.

One idea to do this is to use "--out-format=%B %l %M %U %G %f" when running the "rsync -n -av ...". This will print out file sizes, permissions, owners, groups, modified times, and the file names. Then, at the start of push to mirrors we should re-run that rsync and compare the output. If those match there should be no reason to check file hashes, because those are already in *SUMS, which we've verified haven't changed.

Doing the above reduces our exposure window significantly, I don't think it eliminates it completely, though. If we do it, we should probably wait until the permissions checks and virus scan are done before running the rsync -n.
found in triage.
Priority: -- → P5
Whiteboard: [automation][releases]
(Reporter)

Updated

7 years ago
No longer blocks: 714371
Mass move of bugs to Release Automation component.
Blocks: 714371
Component: Release Engineering → Release Engineering: Automation (Release Automation)
(Reporter)

Updated

7 years ago
No longer blocks: 714371
(Reporter)

Updated

6 years ago
Duplicate of this bug: 732000
(Assignee)

Updated

5 years ago
Product: mozilla.org → Release Engineering
The files we upload are write-only-once, so this should be addressed.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
QA Contact: rail
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.