#4906: some form of QA access to torrent and mirror content prior to public posting ----------------------------+----------------------------------------------- Reporter: robatino | Owner: rel-eng@lists.fedoraproject.org Type: task | Status: new Milestone: Fedora 16 Beta | Component: koji Keywords: | ----------------------------+----------------------------------------------- In the last several releases, there has been a high probability that at least some of the Alpha and Beta torrents will have only unsigned checksum files (see https://fedorahosted.org/fedora-qa/ticket/237 ). No matter how quickly the problem is noticed, one is always told that it can't be fixed after public posting, since people are already downloading. Unfortunately, QA has no access prior to public posting to prevent it. There are documentation issues in releng's SOP pages that probably aggravate this problem (see the other ticket), but even if these are fixed, QA should still have a chance to check the content before it's public. A lesser problem is if the checksum files are signed more than once and different files are used on the torrents vs. mirrors (as in F15 Final). I realize there are possible secrecy issues regarding access to the signed files prior to the official release, but the mirrors are given access days in advance, and they almost always leak. QA might be able to set up some kind of AutoQA checking to minimize the amount of human access. In any case, QA could at least be given access to the .torrent files, to check the size of the checksum files. Signing adds about 1K to the size, so it would be possible to detect if the unsigned file was used. Having access to the actual signed file would be nicer, if possible, since the test could be both simpler and more reliable (verifying the signature itself).