[gimp-web] gitlab-ci: check mirror contents.

[Jehan <jehanp src gnome org>]

commit ba3bab43e634a234b01b7344b6345839c2f8abc6
Author: Jehan <jehan girinstud io>
Date:   Fri Sep 24 20:22:20 2021 +0200

    gitlab-ci: check mirror contents.
    
    We should randomly check that what mirrors give people is not modified
    binaries. Making it at commit time makes these checks random enough (not
    scheduled) and it's not too often either.
    
    It's not perfect and I can find more ways to trick the check but better
    than before.

 .gitlab-ci.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b931003a..581749f4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,3 +14,14 @@ check-mirrors:
     # page always display exactly the right list of mirrors (no more no
     # less compared to the ones configured on download mirror rotation).
     - tools/downloads/cmp-mirrors.py
+    # Check that the last versions are present on each mirrors and are
+    # identical to the original.
+    # Note: I could put this on a scheduled job, but then a malicious
+    # mirror could easily just display the right data only around the
+    # time when the schedule is run. Running this on each commit is
+    # actually not so bad. We don't have too many commits (a few a days,
+    # or even maybe every few days), and the timing of commits are
+    # random enough that they would be hard to guess. Of course there
+    # are other ways to trick the check, but it's better than nothing
+    # (which was what we had before).
+    - tools/downloads/gimp-check-mirrors.py --verify-checksum