Opened 7 years ago

Last modified 4 weeks ago

#3980 assigned enhancement

gettor should deliver checksums of our packages

Reported by: arma Owned by:
Priority: Medium Milestone:
Component: Applications/GetTor Version:
Severity: Normal Keywords:
Cc: sukhbir.in@…, poly@…, ilv@… Actual Points:
Parent ID: #9036 Points:
Reviewer: Sponsor:

Description (last modified by traumschule)

Some people can't fetch the full packages over gmail, because they're too big, because their gmail interactions are throttled, or because their Internet connection sucks too much to fetch 30MB.

We should deliver checksums with the download links with instructions how to compare them (#3893). Then they can get their Tor from wherever, and verify it.

Child Tickets

Change History (13)

comment:1 Changed 7 years ago by arma

Priority: normalmajor

comment:2 Changed 7 years ago by kaner

Owner: set to kaner
Status: newassigned

How about letting the user send an email with the trigger word "checksums" in the body of their email to GetTor?

The answer would include all currently known checksums.

GetTor could keep a checksums.txt file around that gets updated with every GetTor -p run (-p is how GetTor builds the packages to send out from the packages under /dist/.

comment:3 Changed 5 years ago by sukhbir

Cc: sukhbir.in@… added

comment:4 Changed 4 years ago by poly

Status: assignedneeds_review

I have implemented this feature and wanted to ask for feedback before submitting. I have modified "core.py" and "smtp.py" to support an additional type of request - "checksum". If the word checksum (case insensitive) matches anywhere in the email body, a list of all stored checksums in the email's locale is sent.

Here is sample output: http://pastebin.com/raw.php?i=VwbK8s4w
Find the actual implementation here: https://github.com/0xPoly/gettor

Thoughts?

comment:5 Changed 4 years ago by poly

Cc: poly@… added

comment:6 Changed 4 years ago by ilv

Cc: ilv@… added
Priority: majornormal

comment:7 Changed 4 years ago by ilv

The code looks good, but I'm not sure if this is the way we want to do it? I mean, to look for the checksums you open the links file and do some regexp, but this depends on the format of the message, which may change in the future. What if we add this feature in the scripts that upload the bundles to cloud services? We could generate a sha_checksums.txt file after the files have been uploaded, and all we have to do to send the checksums would be to send the contents of that file.

comment:8 Changed 4 years ago by ilv

After we automate the process of deliver the latest Tor Browser we could use this file: https://dist.torproject.org/torbrowser/{{latest_version}}/sha256sums.txt (e.g. https://dist.torproject.org/torbrowser/4.0.3/sha256sums.txt)

comment:9 Changed 12 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:10 Changed 8 weeks ago by traumschule

Description: modified (diff)
Owner: changed from kaner to traumschule
Status: needs_reviewassigned
Summary: gettor should have a way to mail you sha1sums of our packagesgettor should deliver checksums of our packages

+1 for delivering checksums and instructions in the email

comment:11 Changed 6 weeks ago by traumschule

A code draft to add signature links and checksums is already in place:
http://jqs44zhtxl2uo6gk.onion/gettor.git/tree/gettor/core.py#n269

I suggest to add simple instructions how to verify them to the README:
https://github.com/TheTorProject/gettorbrowser/

Please tell if you had other ideas.

comment:12 Changed 6 weeks ago by traumschule

Parent ID: #9036

Let #9036 adopt some children.

comment:13 Changed 4 weeks ago by traumschule

Owner: traumschule deleted

Won't have a chance to do this during the next weeks.

Note: See TracTickets for help on using tickets.