Open
Bug 1370612
Opened 7 years ago
Updated 1 years ago
repackage and l10n tasks need extra cot verification
Categories
(Release Engineering :: Release Automation: Other, enhancement, P1)
Release Engineering
Release Automation: Other
Tracking
(Not tracked)
NEW
People
(Reporter: mozilla, Unassigned)
References
(Blocks 1 open bug)
Details
These are non-scriptworkers that can potentially modify artifacts that ship. We assume they're taking the artifacts from the upstream build-signing task; we need to verify.
|
Reporter | |
Comment 1•7 years ago
|
||
We also need this for toolchain tasks. We have extra verification hardcoded for docker image shas, but we need a task-related solution as well.
|
||
Updated•7 years ago
|
Priority: -- → P1
|
|
Reporter | |
Updated•7 years ago
|
Summary: repackage tasks need extra cot verification → repackage and l10n tasks need extra cot verification
|
|
Reporter | |
Comment 2•7 years ago
|
||
(In reply to Aki Sasaki [:aki] from comment #1)
> We also need this for toolchain tasks. We have extra verification hardcoded
> for docker image shas, but we need a task-related solution as well.
bug 1382564 added sha verification for toolchain tasks, which is good. We don't verify the signatures there, however, so we need to doublecheck that the cot artifact wasn't modified before the toolchain tasks ran: ideally this would be verifying an artifact from toolchain tasks that includes shas of the upstream artifacts.
|
|
Reporter | |
Updated•2 years ago
|
Assignee: aki → nobody
QA Contact: catlee → gbrown
|
||
Updated•1 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•