Opened 5 years ago

Last modified 10 months ago

#13134 new task

Figure out access rights to new dists.torproject.org

Reported by: phobos Owned by: tpa
Priority: Medium Milestone: WebsiteV3
Component: Internal Services/Service - dist Version:
Severity: Normal Keywords:
Cc: boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Figure out access rights to new dists.torproject.org so people can upload their precious binaries of love.

Child Tickets

Change History (11)

comment:1 Changed 5 years ago by weasel

Cc: erinn added

AIUI, Erinn was working on something?

comment:2 Changed 5 years ago by weasel

Hey Erinn. Is this still something you're working on?

comment:3 Changed 5 years ago by weasel

Parent ID: #13133

comment:4 Changed 5 years ago by weasel

Cc: erinn removed

Apparently Erinn no longer is working on this.

comment:5 Changed 3 years ago by weasel

Owner: set to tpa
Status: newassigned

comment:6 Changed 3 years ago by weasel

Status: assignednew

comment:7 Changed 21 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:8 Changed 10 months ago by arma

I have memories of seeing a ticket some years ago about writing a script that would auto check signatures, know which developers have which keys and develop which software, and then you would essentially submit your new releases and the script would put your file in the right place.

At that point we wouldn't need to give 13+ people access to change every file in dist, and things could scale better.

I continue to think this script is a good idea. :)

comment:9 Changed 10 months ago by arma

Component: Internal Services/Tor Sysadmin TeamInternal Services/Service - dist

I'm putting this ticket into the service - dist component since it really is about designing a better dist service, not about sysadmining the underlying computers.

comment:10 in reply to:  8 Changed 10 months ago by boklm

Cc: boklm added
Component: Internal Services/Service - distInternal Services/Tor Sysadmin Team

Replying to arma:

I have memories of seeing a ticket some years ago about writing a script that would auto check signatures, know which developers have which keys and develop which software, and then you would essentially submit your new releases and the script would put your file in the right place.

I am wondering what the interface to talk to this script should be.

Maybe some signed email containing a json text with a lists of files/directories to add or remove?

For example someone releasing version 0.2 of project foo would upload it to people.torproject.org:~/public_html/tmp/foo/0.2 (or any other web server), and send a gpg signed email containing the following text (probably generated using some tool):

{
project: 'foo',
remove_files: [ '0.1/' ],
add_files: [
  {
    filename: '0.2/foo-0.2.tar.gz',
    fetch_url: 'https://people.torproject.org/~boklm/tmp/foo/0.2/foo-0.2.tar.gz',
    sha256sum: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c',
  },
  {
    filename: '0.2/foo-0.2.tar.gz.asc',
    fetch_url: 'https://people.torproject.org/~boklm/tmp/foo/0.2/foo-0.2.tar.gz.asc',
    sha256sum: '1ffbc26a0454890427087cf9618915bfaa22689070a5b4a5a1f5c9dd88b6a8b8',
  },
  {
    filename: '0.2/README.txt',
    fetch_url: 'https://people.torproject.org/~boklm/tmp/foo/0.2/README.txt',
    sha256sum: '81965be66adc3c6c3ce9d33c3a29208a5e75b6d0de00634b6a2911f00e980664',
  },
 ],
}

Then the script receiving this mail would parse the json text to find the project name, verify the signature using the keyring corresponding to this project, remove the files or directories listed in remove_files, download the files listed in add_files and check their sha256sum, and then apply the changes to dist.tpo.

comment:11 Changed 10 months ago by boklm

Component: Internal Services/Tor Sysadmin TeamInternal Services/Service - dist
Note: See TracTickets for help on using tickets.