[tbb-bugs] #27438 [Applications/Tor Browser]: Android Gradle Build Downloads

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 18 23:49:57 UTC 2018 

#27438: Android Gradle Build Downloads
-------------------------------------------------+-------------------------
 Reporter:  sisbell                              |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-rbm, tbb-mobile,                 |  Actual Points:
  TorBrowserTeam201810R                          |
Parent ID:  #26693                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sisbell):

 Replying to [comment:18 boklm]:

 > Replying to [comment:17 sisbell]:
 >
 >
 > > > > Its a little more complicated but not by much. Basically, it
 checks extensions to see if it has gpg signature for an artifact and if so
 then verifies it with a key from key server. If there is no gpg sig, then
 it looks for a sha2 file and verifies that. If there is no sha2, then it
 just generates one and flags it. (it could go on to check sha1, md5 but I
 didn't implement that). I'm ok either way with script or artc. Would that
 require different scripts for each platform we build on?
 > > > >
 > > > >
 >
 > If I understand correctly the sources of artc, a signature made by any
 key that is available on pgp.mit.edu will be accepted, so that does not
 seem very useful as anybody can generate a key and upload it there. A sha
 file that is hosted on the same server as the file we download is also not
 very useful as someone able to modify the file on the server will probably
 also be able to modify the sha file too.
 >
 > In branch `bug_27438` I added a script, in an `input_files`, that is
 downloading all the URLs from `gradle-dependencies-list.txt`, check that
 the files are matching the expected sha256sums, and move them to the same
 directory as in their URL:
 > https://gitweb.torproject.org/user/boklm/tor-browser-
 build.git/commit/?h=bug_27438&id=ba47a5262a31039ef519b0655cbfe221dcb71b8b
 >
 > After running this I'm getting the same content as `maven-
 repo-1.0.tar.gz`. If that looks good to you, you can add the patch to your
 branch.
 >> Looks good. I'll apply the patch shortly

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27438#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list