Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 346133

Summary: Download server's sums.php script can return ""
Product: Community Reporter: Konstantin Komissarchik <konstantin>
Component: ServersAssignee: Eclipse Webmaster <webmaster>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:

Description Konstantin Komissarchik CLA 2011-05-17 14:31:29 EDT 
It appears that when the server gets a request for a download file checksum, it adds that request to the queue and immediately returns to caller with an empty response. The caller is expected to come back at undetermined time later to get the actual checksum.

I expect the server to block the request until the sum is computed. Returning an empty response makes it very complicated for adopters to work with eclipse.org download server.
Comment 1 Denis Roy CLA 2011-05-17 14:38:51 EDT 
Actually, requesting the sum does not queue it up -- the first download (via download.php) does.

What do you mean by block the request?  I'd hate to just keep the browser waiting until the sum appears since that opens the door to a denial of service attack against ourselves.

I agree status quo is not ideal.  What if I return a 404 for blank sums?
Comment 2 Konstantin Komissarchik CLA 2011-05-17 14:54:35 EDT 
Returning 404 doesn't help. The issue is that when download server is accessed via adopter automation (not a human clicking on a checksum link in the browser), the checksums are needed when requested. Saying "I don't know, ask me later" isn't helpful.

> What do you mean by block the request?  I'd hate to just keep the browser
> waiting until the sum appears since that opens the door to a denial of service
> attack against ourselves.

I don't see a denial of service potential here. There is finite number of downloads whose checksums haven't been computed. The denial of service can only happen if you assume a compromised FTP account feeding new files to the server.

If I was implementing a checksum service, it would be a simple cache where a cache miss results in immediately computing of the checksum. No queue or anything like that. This would also make it easier to fix the recurring problem of checksums not matching the download. You just extend the definition of a cache miss to include a timestamp check.
Comment 3 Denis Roy CLA 2011-05-17 17:12:18 EDT 
(In reply to comment #2)
> I don't see a denial of service potential here.

Of course you don't -- you're a developer  :)


> If I was implementing a checksum service, it would be a simple cache where a
> cache miss results in immediately computing of the checksum.

Done.  You should tip the web guys at Oracle to look into our now awesome checksum service -- theirs doesn't work too good.

http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html
Comment 4 Konstantin Komissarchik CLA 2011-05-17 17:20:49 EDT 
Thanks!

> You should tip the web guys at Oracle to look into our now awesome
> checksum service -- theirs doesn't work too good.

Trust me, that's the least of their problems.