[tor-bugs] #13134 [Internal Services/Tor Sysadmin Team]: Figure out access rights to new dists.torproject.org

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 11 22:03:40 UTC 2018 

#13134: Figure out access rights to new dists.torproject.org
-------------------------------------------------+-------------------------
 Reporter:  phobos                               |          Owner:  tpa
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
                                                 |  WebsiteV3
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by boklm):

 * cc: boklm (added)
 * component:  Internal Services/Service - dist => Internal Services/Tor
     Sysadmin Team


Comment:

 Replying to [comment:8 arma]:
 > I have memories of seeing a ticket some years ago about writing a script
 that would auto check signatures, know which developers have which keys
 and develop which software, and then you would essentially submit your new
 releases and the script would put your file in the right place.

 I am wondering what the interface to talk to this script should be.

 Maybe some signed email containing a json text with a lists of
 files/directories to add or remove?

 For example someone releasing version 0.2 of project `foo` would upload it
 to `people.torproject.org:~/public_html/tmp/foo/0.2` (or any other web
 server), and send a gpg signed email containing the following text
 (probably generated using some tool):
 {{{
 {
 project: 'foo',
 remove_files: [ '0.1/' ],
 add_files: [
   {
     filename: '0.2/foo-0.2.tar.gz',
     fetch_url:
 'https://people.torproject.org/~boklm/tmp/foo/0.2/foo-0.2.tar.gz',
     sha256sum:
 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c',
   },
   {
     filename: '0.2/foo-0.2.tar.gz.asc',
     fetch_url:
 'https://people.torproject.org/~boklm/tmp/foo/0.2/foo-0.2.tar.gz.asc',
     sha256sum:
 '1ffbc26a0454890427087cf9618915bfaa22689070a5b4a5a1f5c9dd88b6a8b8',
   },
   {
     filename: '0.2/README.txt',
     fetch_url:
 'https://people.torproject.org/~boklm/tmp/foo/0.2/README.txt',
     sha256sum:
 '81965be66adc3c6c3ce9d33c3a29208a5e75b6d0de00634b6a2911f00e980664',
   },
  ],
 }
 }}}

 Then the script receiving this mail would parse the json text to find the
 project name, verify the signature using the keyring corresponding to this
 project, remove the files or directories listed in `remove_files`,
 download the files listed in `add_files` and check their sha256sum, and
 then apply the changes to dist.tpo.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13134#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list