Closed Bug 710387 Opened 11 years ago Closed 9 years ago

Check manifest hash with the site on install of an app


( Graveyard :: Public Pages, defect, P4)



(Not tracked)



(Reporter: andy+bugzilla, Unassigned)



If bug 710265 lands, we'll have an md5 hash of the manifest. We could then tell if the manifest has changed between submitting to AMO and the user installing it. I'm not sure what / how we'd show to a user if that happened.
Priority: -- → P4
The more I think about it, the more I think we need to automatically push all manifest changes (discovered by the daily spider) into the marketplace DB asap. If they have a new description in their manifest, we need to update the DB immediately. In other words, the app can change at any minute and the user will always install/launch the latest version so we should try to keep up with that as best we can.
I currently don't update the description. Because the description can be edited on our side, I would be annoyed if the description was hand crafted for AMO and then be overridden for example.

Updating from the cron should be as fast as is scalable :) But there'll be that period in between changes when we can detect that.

But I'm honestly not sure what message we'll give the user anyway. "The app has changed since it was registered on AMO, are you sure you want to install it?" Not sure how helpful that really is.

Either way, that portion of it should probably go to the apps team, we just pass the hash to it.
Yeah I guess we can't use a changed manifest file to obliterate hand edited data. I was thinking that if the marketplace always showed app metadata as close to the deployed manifest as possible then there would be less of a need to warn the user about anything.

Maybe we need to put this burden on the developers. Maybe send them an email when we detect a manifest change and prompt them to update their app listing.

If we simply pass a has_changed=true flag to the WebRT then it can't really do anything useful with that at install time.
MD5 is not best practice, genericising the summary a bit. Looking at bug 710265 it looks like you've already got a sha256 hash you could use.
Summary: Check manifest md5 with the site on install of an app → Check manifest hash with the site on install of an app
Emailing the authors that their manifest changed would be good anyway - it would be reassuring for the app dev I think.
Blocks: 752013
No longer blocks: 710074
No longer blocks: 752013
we pull manifest changes into the db now.  Closing this bug.
Closed: 9 years ago
Resolution: --- → FIXED
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.