Re: [Tails-dev] About the download and verification of test …

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] About the download and verification of test images
sajolida wrote (13 Feb 2016 12:13:49 GMT) :
> Ok, see #11117. Shall I write to phobos, weasel, someone else?


https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure
says N/A in the Maintainers column ⇒ I would ask weasel (Cc Lunar, who
helps a bit on the rsync side IIRC).

phobos has left the Tor project.

>> Minor implementation detail: last time I checked carefully, only one
>> of the two mirrors behind this hostname was serving our stuff, which
>> is why (last time I checked) only one of those was in our round-robin
>> pool of HTTP mirrors. If it's still the case, then we cannot do what
>> you propose. This situation may very well have changed, I dunno.


> I'll check before writing to archive.torproject.org then. Now #11120.


The title of that ticket doesn't reflect what I wrote above, so
I wonder if I conveyed what I meant clearly enough: it's not about
"how many servers are behind archive.torproject.org" (that is
trivially answered by a DNS query), but about whether all of them
_actually serve our stuff_.

>> sajolida wrote (13 Jan 2016 11:55:33 GMT) :
>>> Now I see that anonym reported #10915: "Consider publishing torrents for
>>> betas and RCs" which would work great to solve the basic download
>>> verification problem. I'm all for it.
>>
>> Indeed, this would be another way to improve security for the "set of
>> Tails users who know by heart how to install an ISO without any doc,
>> but don't know how to use the WoT, and are keen to try our test
>> images". And regardless, as we see on #10915 we have good reasons to
>> do so anyway. Let's do it. sajolida, will your team take it as part of
>> the question this thread is about, or shall we organize
>> things differently?


> If I understand correctly, this would mean adjust the release process
> document to add instructions to create Torrents for release candidates
> as well, right?


I would have said that it's about checking what needs to be done,
coordinating it and making it happen :)

I've had a look to help with the 1st part.

Our release process doc already makes us generate a Torrent and its
detached signature, even for RC:s (check for yourself: the "Generate
the OpenPGP signatures and Torrents" seems to have no condition
attached). It also makes us seed this Torrent unconditionally.

So what needs to be done is:

* in the "Update the website and Git repository" section: don't skip
the Torrent publication steps when preparing a RC; also deal with
cleaning RC:s' Torrent files later; indeed anonym or I would be the
best placed to do that, although bertagaz should be able to do it too

* on our call for testing (non-existing yet) "template": link to the
Torrent, its signature, and the corresponding documentation;
I guess that you (sajolida) would be better placed to handle it.