mozilla / mozillavpn-product-details Goto Github PK

Should be supported by Ajv and JDT but couldn't get it to parse first time round.

See https://github.com/mozilla/mozillavpn-product-details/pull/10/files

This PR added

"2.6.1": {
      "build": null,
      "date": "2021-11-22",
      "platforms": ["ANDROID", "IOS", "MACOS", "WINDOWS"]
    }

but did not update the latest version for iOS and Android

 "latest": {
    "ANDROID": "2.5.1",
    "IOS": "2.5.1",
    "LINUX": "2.6.0",
    "MACOS": "2.6.1",
    "WINDOW: "2.6.1"
    }

This issue is to add a test, unlikely to be doable with json validation to verify inconsistencies like this don't happen.

At present, the product details only contain version numbers and release dates. While this allows a consumer of this repository to construct the URL to archive.mozilla.org to download the installer file, it does not allow the user to validate that the contents of archive.mozilla.org haven't been tampered with and therefore might represent a break in the chain of trust.

To remedy this, we should be including a strong cryptographic hash (eg: SHA256/512) of the installer packages in this repository, in addition to the rest of the release details. This would allow a user to download the installer, and validate that they received the expected file.

This issue was recently exposed in PSP-426 but could have bitten us before.