Closed
Bug 1314160
Opened 8 years ago
Closed 6 years ago
Limit or eliminate tasks that "never" expire
Categories
(Taskcluster :: Services, defect, P5)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jonasfj, Unassigned)
Details
Stages: 1) Put task.expires > 1 year behind a scope, while granting the scope to everybody By giving it to "assume:*" using the "*" role. 2) Ensure nobody has the scope 3) Remove support for task.expires > 1 year This way we can gradually migrate away from it. Step (1) will break things that uses authorizedScopes, temporary credentials, and task.scopes without referencing any roles. But that's hopefully an uncommon use-case.
Comment 1•8 years ago
|
||
From the ML discussion, there are some legitimate uses for expirations greater than one year -- in particular, validating the chain of trust for builds made more than a year ago (per Aki). So I don't think we'd ever get rid of this scope. In fact, potentially every level-3 build would need a multi-year expiration, in a build-promotion world. Also, step 1 would break the world, for the reasons you described. Rather than breaking everyone's tasks, I would suggest analyzing new tasks with long expirations, and chasing down the people who can either change the expiration times or explain why they need long times. In the latter case, set up the long-expiration scope for whatever is creating those tasks.
Summary: Limit task.expires to 1 year → Limit or eliminate tasks that "never" expire
Comment 2•8 years ago
|
||
BTW, two years might be OK for chain-of-trust? That's doubling the storage costs, which may be significant if it applies to all level-3 builds, but it's better than "forever". This bug should also encompass manually expiring many of the existing "forever" tasks -- likely a large portion of them are completely unnecessary.
Flags: needinfo?(aki)
Comment 3•8 years ago
|
||
I think I'm ok with a year. I was mainly pointing out that if we wanted to reduce the overlap where we had two sets of the same binaries, we could reduce the release artifact expiration to much less than a year, but we would need chain of trust to be verifiable in the beetmoved area. We might want chain of trust to be verifiable in the beetmoved area anyway, but a year gives us enough time to audit ESRs if wanted.
Flags: needinfo?(aki)
Reporter | ||
Updated•6 years ago
|
Priority: -- → P5
Comment 6•6 years ago
|
||
I think this is a feature and not a bug.
Status: NEW → RESOLVED
Closed: 6 years ago
QA Contact: jhford
Resolution: --- → WONTFIX
Assignee | ||
Updated•5 years ago
|
Component: Queue → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•