Closed
Bug 640168
Opened 14 years ago
Closed 8 years ago
push to mirrors should verify that nothing has changed since the virus scan / permissions check
Categories
(Release Engineering :: Release Automation: Other, defect, P5)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Unassigned)
References
Details
(Whiteboard: [automation][releases])
Recently we started running the permissions check and virus scan well ahead of pushing to mirrors. This is great for getting those things out of the critical path but it leaves us vulnerable to attack if someone modifies files between those checks and pushing to mirrors. We should verify that nothing changes between those checks and pushing.
One idea to do this is to use "--out-format=%B %l %M %U %G %f" when running the "rsync -n -av ...". This will print out file sizes, permissions, owners, groups, modified times, and the file names. Then, at the start of push to mirrors we should re-run that rsync and compare the output. If those match there should be no reason to check file hashes, because those are already in *SUMS, which we've verified haven't changed.
Doing the above reduces our exposure window significantly, I don't think it eliminates it completely, though. If we do it, we should probably wait until the permissions checks and virus scan are done before running the rsync -n.
Updated•13 years ago
|
Blocks: hg-automation
Reporter | ||
Updated•13 years ago
|
No longer blocks: hg-automation
Reporter | ||
Comment 2•13 years ago
|
||
Mass move of bugs to Release Automation component.
Blocks: hg-automation
Component: Release Engineering → Release Engineering: Automation (Release Automation)
Reporter | ||
Updated•13 years ago
|
No longer blocks: hg-automation
Assignee | ||
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
Comment 4•8 years ago
|
||
The files we upload are write-only-once, so this should be addressed.
Status: NEW → RESOLVED
Closed: 8 years ago
QA Contact: rail
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•