Opened 6 years ago

Closed 6 years ago

#8338 closed enhancement (fixed)

Write source mirror watch scripts

Reported by: ioerror Owned by: erinn
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: MikePerry201304
Cc: mikeperry, erinn, sebastian, arma Actual Points: 4
Parent ID: #8288 Points:
Reviewer: Sponsor:

Description

We need watch scripts for all of the software that we depend on - so we get an email/im/irc message to tell us that a dependency has updated.

Child Tickets

Change History (2)

comment:1 Changed 6 years ago by mikeperry

Actual Points: 3
Keywords: MikePerry201304 added
Status: newneeds_review
Summary: Watch scriptsWrite source mirror watch scripts

I just pushed a set of watch scripts to mikeperry/ticket8338. I think these scripts will allow us to deploy #8286. Please have a look and tell me what you think. There are two scripts you should focus on:

  1. This script is meant to be run on people.torproject.org to keep our source mirror up to date:

https://gitweb.torproject.org/mikeperry/torbrowser.git/blob/ticket8338:/watch-scripts/fetch-thirdparty.sh

  1. This script is meant to be run on arbitrary machines run by other people, to verify the integrity of our mirror against tampering and targeted MITM:

https://gitweb.torproject.org/mikeperry/torbrowser.git/blob/ticket8338:/watch-scripts/verify-mirror.sh

Both scripts are meant to be run from cron. They should be silent except in the case of error.

I think that if enough people run that verification script, it is a better solution than requiring manual hash updates in the Makefiles (#8283).

comment:2 Changed 6 years ago by mikeperry

Actual Points: 34
Resolution: fixed
Status: needs_reviewclosed

These are now merged. We should get some people to actually run the verify-mirror.sh script.

Note: See TracTickets for help on using tickets.