We should prune torrent to just the releases supported by Fedora: N-1, N and prune everything else from the server. Email which sparked this:
On Mon, 3 Jun 2019 at 10:10, email@example.com wrote:
Just to point out the problematic download and security layout on your website. The spins page lists links to download the latest versions. The alternative downloads page (https://torrent.fedoraproject.org/) lists numerous releases, including security and older versions of the spins. Unfortunately, no direct download is provided for older versions of spins, only torrents. Worse, the available checksums on the verification page, which includes signature verification using older version keys, are only for current (30) versions, with none provided for older versions including 28. The actual link at the foot of the torrents list redirects to another page (https://fedoraproject.org/wiki/Distribution/Download/BitTorrent), which in turn links to the installation guide, which in turn links to an outdated verification page which then links back to the getfedora.org page. None of these provide a means to verify a single version of Fedora other than the latest spins. External download pages like those at www.getmyos.com lack verification means. A single University mirror retains olders versions, thankfully with checksums, though these cannot be verified at the fedora site itself.
I suggest at least including prominent verification checksums for all torrent versions, which in turn could also be used where isos are downloaded from external sources.
Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: deprecated, downloads
Removed the old torrent files:
[root@torrent02 torrent-generator][PROD]# cd /srv/torrent/torrent-generator
[root@torrent02 torrent-generator][PROD]# mv 28.ini 28.ini.old
[root@torrent02 torrent-generator][PROD]# mv 29.ini 29.ini.old
[root@torrent02 torrent-generator][PROD]# mv 30_Beta.ini 30_Beta.ini.old
But also, we haven't been seeding any of these for a long while... but I guess someone else could have been.
The org comment is also mistaken, when you download a torrent it downloads the checksum file (gpg signed) with it. You can check the gpg signature then check the checksum. Having old gpg keys around is a websites bug.
Perhaps @mohanboddu could add this step to the eol SOP for releng when a release goes eol?
Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
to comment on this ticket.