[tor-bugs] #27438 [Applications/Tor Browser]: Android Gradle Build Downloads

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 18 02:18:25 UTC 2018 

#27438: Android Gradle Build Downloads
-------------------------------------------------+-------------------------
 Reporter:  sisbell                              |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-rbm, tbb-mobile,                 |  Actual Points:
  TorBrowserTeam201810                           |
Parent ID:  #26693                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sisbell):

 Replying to [comment:15 boklm]:
 > Looking at the content of https://github.com/sisbell/tor-android-
 repo/blob/master/download-urls-1.0.txt and the content of the `maven-
 repo-1.0.tar.gz` archive, it seems that the archive simply contains the
 files listed in `download-urls-1.0.txt` in the same directories as the
 URLs. Is there more than that in the process to generate the maven repo?
 If not then it seems to me a little overkill to require a rust program to
 generate that archive.
 >
 > I think we could add sha256sums to the `download-urls-1.0.txt` file, and
 then it would not be very complicate to write a shell script that download
 each file, check its checksum, extract the directory from the URL and move
 the file to that directory. We could then use this script within an `exec`
 of an `input_file`, similarly to what is done in `projects/firefox-
 langpacks/config`.
 >
 > I only looked at the content of `maven-repo-1.0.tar.gz` quickly, so I
 may have missed something. Is there something that I missed in the process
 of generating the maven repo?
 >> Its a little more complicated but not by much. Basically, it checks
 extensions to see if it has gpg signature for an artifact and if so then
 verifies it with a key from key server. If there is no gpg sig, then it
 looks for a sha2 file and verifies that. If there is no sha2, then it just
 generates one and flags it. (it could go on to check sha1, md5 but I
 didn't implement that). I'm ok either way with script or artc. Would that
 require different scripts for each platform we build on?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27438#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list