[wp-meta] [Making WordPress.org] #7667: core release process: Verify ZIP recreation is intended
Making WordPress.org
noreply at wordpress.org
Mon Jun 10 01:12:53 UTC 2024
#7667: core release process: Verify ZIP recreation is intended
-----------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone:
Component: Version Control | Resolution:
Keywords: |
-----------------------------+---------------------
Comment (by dd32):
Replying to [comment:2 bradshawtm]:
> > It is expected that during releases, a file may need to be rebuilt.
>
> Is there an example as to why this might need to happen (without a
maintenance release)? Has this happened previously? Is there a running
changelog or somewhere that we can see when a zip is newly released and
why?
"During the release process" meant before the final "release time", ie.
during the testing of the release before general availability of that
release.
Part of our testing process is to have the ZIP created, and then run real-
life testing, and then mark it as "released".
> > This can cause problems for some 3rd party tools that expect that the
sha1 hash never changes post-release
>
> Given this is the purpose of the checksum, I think it's a reasonable
expectation. If we can't trust a checksum hash of a given release to be
stable, we have no way of knowing should the supply chain be compromised.
Supply chain attacks are a completely different thing, and WordPress.org
doesn't currently provide signature verification to combat that. File
hashes are not infallible, and can be falsified. The checksum provided is
intended on being used to verify the ZIP contents, but it needs to be
fetched at the same time as the ZIP.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7667#comment:3>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list