Closed
Bug 1090468
Opened 10 years ago
Closed 9 years ago
Remove /security pages from SVN
Categories
(www.mozilla.org :: Legacy PHP system, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sgarrity, Unassigned)
References
()
Details
(Whiteboard: [kb=1569529] )
Attachments
(5 files)
Now that the /security migration to bedrock from Bug 1026184 is in place, most (or all?) of the pages in the /security dir in SVN can be deleted. See: http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/security/
Updated•10 years ago
|
Whiteboard: [kb=1569529]
Reporter | ||
Comment 1•10 years ago
|
||
pmac, this patch removes all of the /security/ files that are already redirected to bedrock. This leaves behind only a handful of files that we can deal with next. The patch is huge, but it's remove-only. I'll also attach an 'svn status' summary for an easier review of the removed-files.
Attachment #8522258 -
Flags: review?(pmac)
Reporter | ||
Comment 2•10 years ago
|
||
Here's the svn summary of files removed in the patch.
Reporter | ||
Comment 3•10 years ago
|
||
After the patch in Comment #1 is applied, we'll be left with the following pages in /security/ in the old SVN dir. Who can I get to help decide what to do with these pages? http://www.mozilla.org/security/activemixedcontent.html http://www.mozilla.org/security/disable-ssl2-netscape.html http://www.mozilla.org/security/hall-of-fame.html http://www.mozilla.org/security/history-title.html http://www.mozilla.org/security/idn.html http://www.mozilla.org/security/iSECPartners_Phishing.pdf http://www.mozilla.org/security/NSSVulnerabilityAug2004.html http://www.mozilla.org/security/older-alerts.html http://www.mozilla.org/security/phishing-test-results.html http://www.mozilla.org/security/phishing-test.html http://www.mozilla.org/security/security-announcement.html http://www.mozilla.org/security/shell.html http://www.mozilla.org/security/transition.txt http://www.mozilla.org/security/update-2004-10-01.html
Flags: needinfo?(jbertsch)
Comment 4•10 years ago
|
||
(In reply to Steven Garrity [:sgarrity] from comment #3) > After the patch in Comment #1 is applied, we'll be left with the following > pages in /security/ in the old SVN dir. > > Who can I get to help decide what to do with these pages? I believe that would be Al Billings and Dan Veditz.
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
Comment 5•10 years ago
|
||
Yes, that is me and Dan. We're happy to move them to Github though I think we're both worried about losing our ability to commit changes. Right now, we have full checkin authority for /security pages.
Flags: needinfo?(abillings)
Comment 6•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #5) > Yes, that is me and Dan. We're happy to move them to Github though I think > we're both worried about losing our ability to commit changes. Right now, we > have full checkin authority for /security pages. I'm happy to give you both commit access to the repo as long as you agree not to just push stuff to the master branch. None of us push any code without a pull request and code review. Submitting a pull-request and asking for code review is something anyone in the world can do, and none of us would question you on content, but we do sometimes catch coding mistakes and we like to keep some track of what's coming into master so that we can plan pushes to production. The thing about some of the above files is that some are very old and out of date. Some of the information is clearly no longer relevant. So I think for now the decision to be made is for each one should it be ported to bedrock, archived as is to our archive along with a redirect, or just deleted.
Reporter | ||
Comment 7•10 years ago
|
||
Al, more specifically, of these 14 remaining files in SVN, can you let us know what we should do with each? Options for each include: 1. Delete without a redirect (for anyone plainly obsolete) 2. Port to bedrock (for pages that are still relevant) - please specify where in the URL structure the page should live (we can add redirects from the old URL) 3. Archive and delete (for pages that are no longer needed, but shouldn't be completely deleted). These pages get moved/redirected to our website archive. For example: http://website-archive.mozilla.org/www.mozilla.org/devpreview_releasenotes/projects/devpreview/releasenotes/ http://www.mozilla.org/security/activemixedcontent.html http://www.mozilla.org/security/disable-ssl2-netscape.html http://www.mozilla.org/security/hall-of-fame.html http://www.mozilla.org/security/history-title.html http://www.mozilla.org/security/idn.html http://www.mozilla.org/security/iSECPartners_Phishing.pdf http://www.mozilla.org/security/NSSVulnerabilityAug2004.html http://www.mozilla.org/security/older-alerts.html http://www.mozilla.org/security/phishing-test-results.html http://www.mozilla.org/security/phishing-test.html http://www.mozilla.org/security/security-announcement.html http://www.mozilla.org/security/shell.html http://www.mozilla.org/security/transition.txt http://www.mozilla.org/security/update-2004-10-01.html
Updated•10 years ago
|
Flags: needinfo?(jbertsch)
Comment 8•10 years ago
|
||
Obsolete (delete) > http://www.mozilla.org/security/disable-ssl2-netscape.html > http://www.mozilla.org/security/history-title.html > http://www.mozilla.org/security/idn.html > http://www.mozilla.org/security/NSSVulnerabilityAug2004.html > http://www.mozilla.org/security/shell.html > http://www.mozilla.org/security/update-2004-10-01.html Archive > http://www.mozilla.org/security/older-alerts.html > http://www.mozilla.org/security/security-announcement.html > http://www.mozilla.org/security/iSECPartners_Phishing.pdf > http://www.mozilla.org/security/phishing-test-results.html > http://www.mozilla.org/security/phishing-test.html Keep (at current location) > http://www.mozilla.org/security/hall-of-fame.html > http://www.mozilla.org/security/transition.txt Unknown > http://www.mozilla.org/security/activemixedcontent.html The last one could be there because it's referenced from our blog. Tanvi would know.
Flags: needinfo?(dveditz) → needinfo?(tvyas)
Reporter | ||
Comment 9•10 years ago
|
||
For the http://www.mozilla.org/security/hall-of-fame.html page, may I suggested we move it to: https://www.mozilla.org/security/bug-bounty/hall-of-fame/ I'm not able to find any links to the hall-of-fame page in bedrock or in any of the mozilla.org SVN repo. If we're bothering to keep the page, maybe we should add a link from the /security/bug-bounty/ page to this hall-of-fame page? Another option would be to add the hall-of-fame page content to the bottom of the /security/bug-bounty/ page in bedrock. We could add each year section as a collapsed disclosure element that is opened on click. For an example of this, see the FAQ section of this page: https://www.mozilla.org/en-US/firefox/dnt/ I would lean toward this latter option, but I'm fine with either. :dveditz, let me know your preference (thanks).
Flags: needinfo?(dveditz)
Comment 10•10 years ago
|
||
The hall of fame page is brand new and being actively discussed and worked on. That's why you're not finding it linked as of yet. I'd like the hall of fame page to be a separate page but having it under the bug bounty would be fine by me. Collapsable would be nice. The fellow working on it, rforbes, isn't a web designer. He's a fuzzing team member.
Comment 11•10 years ago
|
||
Comment on attachment 8522258 [details] [diff] [review] bug-1090468-remove-sec.diff Review of attachment 8522258 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. Thanks Steven.
Attachment #8522258 -
Flags: review?(pmac) → review+
Comment 12•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8) > Keep (at current location) > > http://www.mozilla.org/security/transition.txt We've moved this to bedrock and it now lives here: https://www.mozilla.org/media/security/transition.txt I believe we can safely remove the old file in SVN as the new security index page now links to the above URL. If however there are links out there to the old location we can add a redirect to the new one. Do you think that's necessary Dan?
Reporter | ||
Comment 13•10 years ago
|
||
(In reply to Steven Garrity [:sgarrity] from comment #1) > Created attachment 8522258 [details] [diff] [review] > bug-1090468-remove-sec.diff Applied in trunk in r135176. 789 files changed, 77637 deletions(-)
Comment 14•10 years ago
|
||
(In reply to Steven Garrity [:sgarrity] from comment #9) > For the http://www.mozilla.org/security/hall-of-fame.html page, may I > suggested we move it to: > > https://www.mozilla.org/security/bug-bounty/hall-of-fame/ That seems reasonable. It's a work in progress and has no links. In fact there's been some discussion about whether that's the right name (are we going to combine client and web bounties on one document, or have different names for each?), which we wanted to resolve before handing out links. > Another option would be to add the hall-of-fame page content to the bottom > of the /security/bug-bounty/ page in bedrock. I don't want to do that. Let's keep it as a separate document. > We've moved this to bedrock and it now lives here: > > https://www.mozilla.org/media/security/transition.txt Why /media/? Will that affect our ability to change that page should we need to transition our key again?
Flags: needinfo?(dveditz)
Comment 15•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #14) > Why /media/? Will that affect our ability to change that page should we need > to transition our key again? It's only /media/ because that happens to be the path where Apache is pointed to serve up static content from the bedrock repo. It does not affect our ability to update it in any way. The content is in git[0] and can be changed at will. [0] https://github.com/mozilla/bedrock/blob/master/media/security/transition.txt
Comment 16•10 years ago
|
||
If we'd rather keep the old URL we can, it's just a matter of serving the file in a different way, but it's not hard.
Reporter | ||
Comment 17•10 years ago
|
||
This PR adds the hall-of-fame page at /security/bug-bounty/hall-of-fame/ We can change the URL if the 'hall-of-fame' page name changes.
Comment 18•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8) > Unknown > > http://www.mozilla.org/security/activemixedcontent.html > > The last one could be there because it's referenced from our blog. Tanvi > would know. I haven't referenced this in a blog.
Updated•10 years ago
|
Flags: needinfo?(tvyas)
Reporter | ||
Comment 19•10 years ago
|
||
(In reply to Steven Garrity [:sgarrity] from comment #17) > Created attachment 8527729 [details] [review] > PR to add hall-of-fame page > This PR adds the hall-of-fame page at /security/bug-bounty/hall-of-fame/ This page has landed in bedrock and will go into production with the next push. I presume we don't need a redirect from the old /security/hall-of-fame.html URL, as it wasn't linked to and may change. Please let me know if this is incorrect.
Reporter | ||
Comment 20•10 years ago
|
||
As per comment #8, the following pages have been moved to the archive in SVN r135527: > http://www.mozilla.org/security/older-alerts.html > http://www.mozilla.org/security/security-announcement.html > http://www.mozilla.org/security/iSECPartners_Phishing.pdf > http://www.mozilla.org/security/phishing-test-results.html > http://www.mozilla.org/security/phishing-test.html Next I'll add redirects and remove the old files from SVN.
Reporter | ||
Comment 21•10 years ago
|
||
Here's the PR that adds redirects to the security pages that have been moved to the archive.
Reporter | ||
Comment 22•10 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #18) > (In reply to Daniel Veditz [:dveditz] from comment #8) > > Unknown > > > http://www.mozilla.org/security/activemixedcontent.html > > > > The last one could be there because it's referenced from our blog. Tanvi > > would know. > > I haven't referenced this in a blog. I've done some searching and I can't find any references to this activemixedcontent.html file in the wiki, devmo, or mozilla.org sites. I propose we remove the file. If it turns out it needs to come back, we can retrieve it from SVN history.
Reporter | ||
Comment 23•10 years ago
|
||
Daniel, before we remove /security/transition.txt from SVN, do we need to add a redirect to the /media/security/transition.txt or is it ok to move to the new URL without a redirect? Thanks.
Flags: needinfo?(dveditz)
Reporter | ||
Comment 24•10 years ago
|
||
This patch removes the remaining /security/ files from SVN, except for the transition.txt
Attachment #8532101 -
Flags: review?(pmac)
Reporter | ||
Comment 25•10 years ago
|
||
There's another set of pages at /projects/security/ in SVN that we'd like to clean out. These pages are already redirected or broken, and I will remove http://www.mozilla.org/projects/security/known-vulnerabilities.html http://www.mozilla.org/projects/security/membership-policy.html http://www.mozilla.org/projects/security/older-vulnerabilities.html http://www.mozilla.org/projects/security/secgrouplist.html http://www.mozilla.org/projects/security/security-bugs-policy.html http://www.mozilla.org/projects/security/tld-idn-policy-list.html This file was added in 2006 by dveditz and hasn't been touched since, I presume it can go? http://www.mozilla.org/projects/security/utf7xss.html This page is still alive - should it be ported? Can we just redirect it to /security/ ? http://www.mozilla.org/projects/security/index.html
Comment 26•10 years ago
|
||
(In reply to Steven Garrity [:sgarrity] from comment #25) > > This file was added in 2006 by dveditz and hasn't been touched since, I > presume it can go? > > http://www.mozilla.org/projects/security/utf7xss.html This looks like an example of how to perform an xss attack on a site where the character set isn't specified. Not sure if this works on any modern browsers anymore. > > This page is still alive - should it be ported? Can we just redirect it to > /security/ ? > > http://www.mozilla.org/projects/security/index.html Not sure if this page is up to date. Dan?
Comment 27•10 years ago
|
||
(In reply to Steven Garrity [:sgarrity] from comment #23) > Daniel, before we remove /security/transition.txt from SVN, do we need to > add a redirect to the /media/security/transition.txt or is it ok to move to > the new URL without a redirect? Thanks. Please add a redirect, as it's been linked to via e-mails for a while now. Thanks!
Flags: needinfo?(dveditz)
Comment 28•10 years ago
|
||
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/e58be282c3b2fb67bca6e5832534d7bf0c339299 Bug 1090468: Move transition.txt to original url. https://github.com/mozilla/bedrock/commit/f8bf68e5999a7ed75b779f47085d59236f3adf10 Merge pull request #2576 from pmclanahan/move-transition-txt-1090468 Bug 1090468: Move transition.txt to original url.
Comment 29•10 years ago
|
||
(In reply to Reed Loden [:reed] from comment #27) > Please add a redirect, as it's been linked to via e-mails for a while now. > Thanks! The above merge in comment #28 moves the transition.txt back to its original URL (it will still work at the new one as well if someone got that one in the interim). Should go to production today.
Updated•10 years ago
|
Attachment #8532101 -
Flags: review?(pmac) → review+
Comment 30•10 years ago
|
||
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/7bd1296e808ba7287b7de27f8a1f39e5810190ca Redirect to archived security pages Bug 1090468 https://github.com/mozilla/bedrock/commit/1950401b72f6eda8ae25b300ea98b57b42d96e85 Merge pull request #2550 from sgarrity/bug-1090468-security-archive-redirects Bug 1090468: Redirect to archived security pages
Comment 31•9 years ago
|
||
I believe this is all done. Please reopen if we're still missing things.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•