Self-hosted setup for Tor Browser tarballs is fragile when upstream tarballs change

To save bandwith, the documentation produced in the initial implementation (#8125 (closed)) does not actually upload tarballs to our git-annex repository, but instead it adds such tarballs by URL (with git annex addurl). If the tarballs found at these URLs change, then anyone who gets them later (using git annex copy will get the updated tarballs, as opposed to the ones we initially meant to add.

This doesn’t fail in awful ways when building Tails, since what we publish over HTTP is actually use a clone of our master git-annex repository, synchronized very often, so as long as the upstream tarballs are not modified within ~1 hour, the tarballs we’re publishing will be the ones we meant.

Still, this means that our master git-annex repo doesn’t really contain the data we meant to store in there. The one that does is its (meant to be read-only) clone used on www.lizard. I think we should fix that. This means the release manager will have to download the tarballs over HTTP, then upload them with git annex… and then they’ll be downloading the tarballs again when they build an ISO image, unless they cheat and import the tarballs into their apt-cacher-ng cache.

Related issues

Related to #8125 (closed)

Original created by @intrigeri on 9020 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information