[tor-bugs] #13134 [Internal Services/Tor Sysadmin Team]: Figure out access rights to new dists.torproject.org
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 11 22:03:40 UTC 2018
#13134: Figure out access rights to new dists.torproject.org
-------------------------------------------------+-------------------------
Reporter: phobos | Owner: tpa
Type: task | Status: new
Priority: Medium | Milestone:
| WebsiteV3
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by boklm):
* cc: boklm (added)
* component: Internal Services/Service - dist => Internal Services/Tor
Sysadmin Team
Comment:
Replying to [comment:8 arma]:
> I have memories of seeing a ticket some years ago about writing a script
that would auto check signatures, know which developers have which keys
and develop which software, and then you would essentially submit your new
releases and the script would put your file in the right place.
I am wondering what the interface to talk to this script should be.
Maybe some signed email containing a json text with a lists of
files/directories to add or remove?
For example someone releasing version 0.2 of project `foo` would upload it
to `people.torproject.org:~/public_html/tmp/foo/0.2` (or any other web
server), and send a gpg signed email containing the following text
(probably generated using some tool):
{{{
{
project: 'foo',
remove_files: [ '0.1/' ],
add_files: [
{
filename: '0.2/foo-0.2.tar.gz',
fetch_url:
'https://people.torproject.org/~boklm/tmp/foo/0.2/foo-0.2.tar.gz',
sha256sum:
'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c',
},
{
filename: '0.2/foo-0.2.tar.gz.asc',
fetch_url:
'https://people.torproject.org/~boklm/tmp/foo/0.2/foo-0.2.tar.gz.asc',
sha256sum:
'1ffbc26a0454890427087cf9618915bfaa22689070a5b4a5a1f5c9dd88b6a8b8',
},
{
filename: '0.2/README.txt',
fetch_url:
'https://people.torproject.org/~boklm/tmp/foo/0.2/README.txt',
sha256sum:
'81965be66adc3c6c3ce9d33c3a29208a5e75b6d0de00634b6a2911f00e980664',
},
],
}
}}}
Then the script receiving this mail would parse the json text to find the
project name, verify the signature using the keyring corresponding to this
project, remove the files or directories listed in `remove_files`,
download the files listed in `add_files` and check their sha256sum, and
then apply the changes to dist.tpo.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13134#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list