Reworking the Firefox hotfix update script (import-installers.py) should make it less likely for future hotfixes to have incorrect URLs. This was a problem in bug 1061975 when the URL was changed to point to ftp.mozilla.org directly instead of our CDN, which brought down ftp.mozilla.org.

I suggest going with checking that the certificate of the download is trusted and that the certificate's issuer and name are the values that we expect. Then it can just use http://download.mozilla.org/?os=win&lang=@AB_CD@&product=firefox-latest as the download url without having to update the hashes and file sizes for each locale when there is a new release.

BTW: this was recommended during the creation of the hotfix but for some reason unknown to me the more complicated approach was taken. It should also be possible to do all of this in NSIS, replace the statically linked exe used by the hotfix with the same NSIS executable, and thereby reduce the complexity and the add-on size since the NSIS exe will be significantly smaller.

I should have mentioned that this bug is an action item from the ftp outage postmortem: https://etherpad.mozilla.org/postmortem-ftpoutage-20141203-bug1107156 Reworking the script should reduce the risk of another bustage while we consider/develop the certificate checking.

Makes sense. This would be a good protective measure to check that it is pointing at 'download.mozilla.org' either way.

This should do it. Unfortunately, I seem to be unable to run the import-installers.py script in my virtualenv. The signature verification of the SHA512SUMS file fails with 'bad signature'. I believe this is a problem with my virtualenv and not any of my changes here for the following reasons: 1. The signature verification also fails without this patch applied. 2. The signature verifies successfully when I verify it manually, i.e. without the import-installers.py script. 3. If I comment out the verification step, the script runs successfully and outputs file sizes and hashes in json format. One question that I had was whether or not I should create a new directory with this change, or apply it to the script in the v20140527.01 directory. Will the next update hotfix have a separate directory, or will we use this same directory again?

That's up to you.

Personally, I'd favor a new directory for the next hotfix. Here is a patch that does just that.

Comment on attachment 8537264 [details] [diff] [review] Diff Keeping this patch around to more easily identify the code changes in the patch that creates a new directory.

Backed out previous patch for using hg add instead of hg copy: http://hg.mozilla.org/releases/firefox-hotfixes/rev/9e9671f4c4e4

This patch now uses hg copy. Received r+ from rstrong via irc.