#4906 some form of QA access to torrent and mirror content prior to public posting

Created 5 years ago by robatino
Modified a month ago

In the last several releases, there has been a high probability that at least some of the Alpha and Beta torrents will have only unsigned checksum files (see https://fedorahosted.org/fedora-qa/ticket/237 ). No matter how quickly the problem is noticed, one is always told that it can't be fixed after public posting, since people are already downloading. Unfortunately, QA has no access prior to public posting to prevent it. There are documentation issues in releng's SOP pages that probably aggravate this problem (see the other ticket), but even if these are fixed, QA should still have a chance to check the content before it's public. A lesser problem is if the checksum files are signed more than once and different files are used on the torrents vs. mirrors (as in F15 Final). I realize there are possible secrecy issues regarding access to the signed files prior to the official release, but the mirrors are given access days in advance, and they almost always leak. QA might be able to set up some kind of AutoQA checking to minimize the amount of human access. In any case, QA could at least be given access to the .torrent files, to check the size of the checksum files. Signing adds about 1K to the size, so it would be possible to detect if the unsigned file was used. Having access to the actual signed file would be nicer, if possible, since the test could be both simpler and more reliable (verifying the signature itself).

the .torrent files go live within a few minutes of their generation. they have always been there and available download before release

That doesn't make any sense - can you explain the technical details of how the .torrent files are generated that currently make it impossible to provide QA access in advance? Whatever they are, it's possible to change them.

Also, it doesn't necessarily have to be the .torrent files - access to the actual contents of the torrent prior to generating it would also work (and be preferable, as noted above, since the signature could be checked).

im saying the .torrent files already are available and always have been.

Are you saying, then, that it is in fact possible to get incorrect .torrent files changed after being posted? I've always been told this is impossible (and that impossibility is the main motivation for this ticket).

We are still waiting on this ticket in regards to QA ticket https://fedorahosted.org/fedora-qa/ticket/237 . Any news? Thanks.

Replying to [comment:7 adamwill]:

We are still waiting on this ticket in regards to QA ticket https://fedorahosted.org/fedora-qa/ticket/237 . Any news? Thanks.

See https://fedorahosted.org/fedora-qa/ticket/237#comment:9 - it needs to be clarified whether it's possible to change .torrent files after they are posted. (Up to now, everyone has told me that no, it's not, though I don't see why.)

Login to comment on this ticket.