Task #2924

if URL includes fingerprint, first download should be index.jar, not index.xml (signed vs. unsigned)

Added by hans almost 4 years ago. Updated over 3 years ago.

Status:RejectedStart date:01/30/2014
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:new unified Downloader infrastructure
Component:

Description

ensure this is actually the case:

if URL includes fingerprint, first download should be index.jar, not index.xml (signed vs. unsigned)


Related issues

Related to Bazaar - Feature #2960: preference to enable/disable https and unsigned indexes i... In Progress 02/14/2014

Associated revisions

Revision a0970d07
Added by Hans-Christoph Steiner over 3 years ago

when adding a repo with fingerprint, make sure to store the pubkey

The logic here is crufty, so I slapped a flag in there to make sure that
the pubkey gets stored when someone configures a repo and includes the
fingerprint. When the fingerprint is set, it will first download the
index.jar and verify it against that fingerprint. The logic for storing
the pubkey permanently happens later in the XML parsing, so there needs to
be a flag to signal to store the pubkey in this case.

Before the flow was always index.xml -> get pubkey -> index.jar. Really,
there should no longer be support for unsigned repos, then all of this
stuff can be dramatically simplified.

fixes #2924 https://dev.guardianproject.info/issues/2924
refs #2960 https://dev.guardianproject.info/issues/2960

History

#1 Updated by hans almost 4 years ago

  • Target version changed from improved security/usability to 134

#2 Updated by hans over 3 years ago

I think we should instead implement #2960 and not do any detailed trickery like this, to keep things simple.

#3 Updated by hans over 3 years ago

  • Status changed from New to Rejected

#4 Updated by hans over 3 years ago

  • Target version changed from 134 to new unified Downloader infrastructure

Also available in: Atom PDF