Feature #7653

Write a script to download and verify ISO images from all active mirrors

Added by Anonymous 2014-07-24 17:40:14 . Updated 2015-01-04 18:55:44 .

Status:
Resolved
Priority:
Normal
Assignee:
ioerror
Category:
Infrastructure
Target version:
Start date:
2014-07-24
Due date:
% Done:

0%

Feature Branch:
Type of work:
Test
Blueprint:

Starter:
0
Affected tool:
check-mirrors
Deliverable for:

Description

It would be cool to have a (bash?) script which does a

* host dl.amnesia.org
* then for each entry downloads the current iso
* outputs size, sha256sum and verifies the signature to a file

so we can verify if the mirrors have synced correctly.


Files


Subtasks


History

#1 Updated by intrigeri 2014-07-24 20:23:55

We have one. I don’t think its content and way of working are considered as public info (yet?), though.

#2 Updated by ioerror 2014-07-24 21:02:17

I started to write such a script - shall I abandon it or should we publish both? Or something else?

#3 Updated by Anonymous 2014-07-24 21:52:21

I think there might be a misunderstanding.

Today, we tried to check 29 mirrors for faulty ISO images which have been reported by users - by hand.

That is why i suggested to write a script, using only publicly available data (host dl.a.b.o => download iso, check size, checksum, gpg verify, dump all this to a text file).

So, i suppose that the existing script contains information which is not public, and thus might stay secret :) However, it’d be cool to be able to verify the mirrors independently in a case like the one which i just described. Or am i missing something here?

#4 Updated by ioerror 2014-07-24 22:49:32

  • File <del>missing: 0001-A-simple-mirror-check-script.patch</del> added

I’ve written the script and it looks like the following when it runs:

./check_mirrors.sh

Mirror health report for Tails version 1.1 run on Thu, 24 Jul 2014 22:39:52 +0000.
We are checking 22 mirrors for Tails 1.1.


Fetching Tails 1.1 ISO from 83.212.104.246:
83.212.104.246.iso     file size: 1099026432
83.212.104.246.iso sha256sum: 20765809188c1e2630735023311e6f46b563ccddcca85d814656036d6afcee8f

Fetching Tails GnuPG signature from 83.212.104.246:
83.212.104.246.iso.sig file size: 1099026432
83.212.104.246.iso.sig sha256sum: 9c1edef726b1918ba11d70806ec8d17cef57ab298bd39f731d133b714392d26a

gpg --verify 83.212.104.246.iso.sig 83.212.104.246.iso reports:
gpg: Signature made Tue Jul 22 15:30:31 2014 UTC using RSA key ID BE2CD9C1
gpg: Good signature from "Tails developers (signing key) <tails@boum.org>"
gpg:                 aka "T(A)ILS developers (signing key) <amnesia@boum.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0D24 B36A A9A2 A651 7878  7645 1202 821C BE2C D9C1

...

#5 Updated by intrigeri 2014-07-24 23:07:07

>

> [...]
> Fetching Tails GnuPG signature from 83.212.104.246:
> 83.212.104.246.iso.sig file size: 1099026432
> [...]
> 

This seems to be a very large detached signature. Bug?

#6 Updated by ioerror 2014-07-24 23:11:29

Whoops, I had a typo - I’ll update the patch.

#7 Updated by ioerror 2014-07-24 23:13:15

  • File deleted (0001-A-simple-mirror-check-script.patch)

#8 Updated by ioerror 2014-07-24 23:14:25

I’ve updated the patch to fix a simple typo; it replaces the old patch that I have deleted.

#9 Updated by sajolida 2014-07-25 09:43:40

  • Category set to Infrastructure
  • Status changed from New to Resolved

Assignee:

We already have this. It’s called `check-mirrors` and is coded in Ruby.
But it’s too ugly to be hosted on a public repo :)

Tickets like Feature #7487 can prove its existence.

#10 Updated by intrigeri 2014-07-25 10:00:14

> We already have this.

Some “we” has it, but as demonstrated on this ticket, there’s a need for other people to have it too. Especially when they’re taking care of something “we” have not been able to do in a timely manner in the last few days, causing much user confusion, and quite a lot of user support overhead on IRC. So, IMO, closing this ticket as Resolved just does not work.

> It’s called `check-mirrors` and is coded in Ruby.
> But it’s too ugly to be hosted on a public repo :)

I don’t think the ugliness of the code is a good enough reason, in itself, to go on hiding it.

The historical reason to keep some obscurity around this topic is that we would like to make it slightly harder for a malicious mirror operator to 1. know that we’re checking what they are serving; 2. know exactly how, when, and from what IPs we are doing it.

However, the setup used to run this script is now documented in a public Puppet module, so I don’t think these reasons really hold anymore. Also, it would be good to allow others to use (and possibly improve) the code, and demonstrated on this ticket. So, I’m now in favour of publishing our script.

With all this in mind, sajolida, what do you think?

#11 Updated by ioerror 2014-07-25 12:15:52

I would encourage merging my patch, keeping your script private and if people need to check the mirror - they won’t have to recreate the work I’ve already done.

#12 Updated by sajolida 2014-07-26 07:44:58

> Especially when they’re taking care
> of something “we” have not been able to do in a timely manner in the
> last few days, causing much user confusion, and quite a lot of user
> support overhead on IRC.

I obviously missed something here as I don’t know what you are referring
to. Would you mind being more explicit?

>> But it’s too ugly to be hosted on a public repo :)
>
> I don’t think the ugliness of the code is a good enough reason, in
> itself, to go on hiding it.

That was a joke.

> With all this in mind, sajolida, what do you think?

Fine with me. Still, we can’t just make that repo public because of two
things:

- A hidden place for our ISO image is documented there. It was thought
as a censorship circumvention tool. We never used it and the script is
broken on this. But still, we would totally loose the point of having
this trick available.

- The repo also has pool administration tools. Yeah, that was my idea
in the first place… But maybe we don’t want this to published in the
same place.

#13 Updated by intrigeri 2014-07-26 08:03:46

>> Especially when they’re taking care
>> of something “we” have not been able to do in a timely manner in the
>> last few days, causing much user confusion, and quite a lot of user
>> support overhead on IRC.

> I obviously missed something here as I don’t know what you are referring
> to. Would you mind being more explicit?

Sure :) There are many download errors reported recently.

Maybe it’s only caused by more people trying to download Tails, maybe some mirrors are still serving the “old” 1.1 ISO, maybe something else is wrong.

>> With all this in mind, sajolida, what do you think?

> Fine with me. Still, we can’t just make that repo public because of two
> things:

Good points!

> - A hidden place for our ISO image is documented there. It was thought
> as a censorship circumvention tool. We never used it and the script is
> broken on this. But still, we would totally loose the point of having
> this trick available.

Ah, right. Then, the script could be adapted to load private configuration from a file that’s not in the same Git repo. Would need another ticket.

> - The repo also has pool administration tools. Yeah, that was my idea
> in the first place… But maybe we don’t want this to published in the
> same place.

Indeed, this would need to be split out too.

I say no emergency at all, but it would be good to do this all at some point :)

#14 Updated by sajolida 2014-07-26 09:19:12

> Sure :) There are many download errors reported recently.
>
> Maybe it’s only caused by more people trying to download Tails, maybe some mirrors are still serving the “old” 1.1 ISO, maybe something else is wrong.

Yes, I’ve been reported through email quite a few download errors since
1.1 as well. But none of the reports from check-mirrors since 1.1
reported an error on my side. Note that I still receive only one and not
two, cf Bug #7485.

So maybe those were only due to the fact that, for the first time in
months, all our users had to download full ISO images. But still, that
doesn’t sound like a good explanation…

Were people able to actually spot faulty mirrors?

>> - A hidden place for our ISO image is documented there. It was thought
>> as a censorship circumvention tool. We never used it and the script is
>> broken on this. But still, we would totally loose the point of having
>> this trick available.
>
> Ah, right. Then, the script could be adapted to load private configuration from a file that’s not in the same Git repo. Would need another ticket.

Created Feature #7666.

>> - The repo also has pool administration tools. Yeah, that was my idea
>> in the first place… But maybe we don’t want this to published in the
>> same place.
>
> Indeed, this would need to be split out too.

Created Feature #7667.

Now closing that ticket.

Sorry, but I don’t know how to mark related tickets through email…

#15 Updated by intrigeri 2014-07-26 09:27:08

> Were people able to actually spot faulty mirrors?

Asking (Cc’d) the people who worked on it.

#16 Updated by Anonymous 2014-07-27 14:07:15

intrigeri wrote:
> > Were people able to actually spot faulty mirrors?
>
> Asking (Cc’d) the people who worked on it.

Just for the sake of adding this info to the ticket: we tested only 22 mirrors. None of them had a faulty image.

#17 Updated by sajolida 2014-08-31 06:36:31

  • Category changed from Infrastructure to 214

#18 Updated by BitingBird 2015-01-04 18:55:44

  • Category changed from 214 to Infrastructure
  • Affected tool set to check-mirrors