Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#19854 closed defect (fixed)

Fix URLs in the downloads.json file

Reported by: boklm Owned by: boklm
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201608R
Cc: tbb-team Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Following changes from #19202, the URLs in the downloads.json file (added in #16551) are broken.

Child Tickets

Attachments (1)

0001-Bug-16551-fix-URLs-in-downloads.json-file.patch (5.1 KB) - added by boklm 3 years ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 3 years ago by boklm

Keywords: TorBrowserTeam201608R added
Status: newneeds_review

I attached a patch to fix that.

Additionally, this should make updating the config.yml file for a new release a little easier, as there is no more a version to update in the download_url option.

I checked on 6.5a2 that with make update_responses-alpha the xml files generated are the same with or without the patch, and the URLs in downloads.json are fixed.

comment:2 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Fixed on master, maint-6.0 and hardened-builds (858cdf3e315b068277c9e6bda7ef6108498a85b5, f9d27acb00da3a44206024a6ee3549173d61e6fa and ce5edcb55cee57b56ea3577474232e85464ff78e).

comment:3 Changed 3 years ago by yawning

Resolution: fixed
Status: closedreopened

Is this supposed to be fixed in the live files currently deployed? As far as I can tell, all of them in the alpha channel json file 404.

Eg: https://dist.torproject.org/torbrowser/update_2/alpha/downloads.json (302 redirect -> https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json)

comment:4 Changed 3 years ago by boklm

This is fixed on the release channel. For the alpha and hardened channels, this should be fixed tomorrow when we publish the new release.

comment:5 Changed 3 years ago by yawning

Ok. For the sake of my sanity, is the redirect situation to aus1.torproject.org going to be an ongoing thing, or is the downloads.json file going to be on dist.torproject.org?

I'd like the redirect to go away if possible, since I want to pin the entire cert chain that I use to fetch said file...

If this is getting fixed tomorrow then I'll just re-close this I guess.

comment:6 Changed 3 years ago by yawning

Resolution: fixed
Status: reopenedclosed

Closing again, since the situation was clarifed.

comment:7 in reply to:  5 ; Changed 3 years ago by boklm

Replying to yawning:

Ok. For the sake of my sanity, is the redirect situation to aus1.torproject.org going to be an ongoing thing, or is the downloads.json file going to be on dist.torproject.org?

I'd like the redirect to go away if possible, since I want to pin the entire cert chain that I use to fetch said file...

Currently, the internal updater is using http://www.torproject.org/dist/torbrowser/update_2/ URLs, which is redirected to dist.tpo for the stable and aus1.tpo for the alpha. At some point we want to change the URL to aus1.tpo directly (and have a redirect on the old URLs for the older browsers). We have #19481 for that.

comment:8 in reply to:  7 Changed 3 years ago by boklm

Replying to boklm:

Currently, the internal updater is using http://www.torproject.org/dist/torbrowser/update_2/ URLs, which is redirected to dist.tpo for the stable and aus1.tpo for the alpha. At some point we want to change the URL to aus1.tpo directly (and have a redirect on the old URLs for the older browsers). We have #19481 for that.

Contrary to what I said before, we'll be moving back the alpha and hardened channels to dist.tpo, until we have pinning for aus1.tpo.

comment:9 Changed 3 years ago by yawning

Will the move back happen in the upcoming release? Or rather, assuming I am writing code now, that uses the downloads.json file and the auto-update related xml files, and that I will likely publish it after the next release happens, can I rip out the support for handling different hostnames now?

comment:10 in reply to:  9 Changed 3 years ago by boklm

Replying to yawning:

Will the move back happen in the upcoming release? Or rather, assuming I am writing code now, that uses the downloads.json file and the auto-update related xml files, and that I will likely publish it after the next release happens, can I rip out the support for handling different hostnames now?

I opened ticket #20219 to ask sysadmins to update the redirects. I think the URL you should use is https://www.torproject.org/dist/torbrowser/update_2/alpha/downloads.json which will redirect to dist.tpo (when #20219 is done). When we have pinning for aus1.tpo we will update the redirects to point there instead of dist.tpo, so keeping support for handling different hostnames can be useful.

Note: See TracTickets for help on using tickets.