Closed Bug 1090468 Opened 10 years ago Closed 9 years ago

Remove /security pages from SVN

Categories

(www.mozilla.org :: Legacy PHP system, defect)

Product:
www.mozilla.org
Component:
Legacy PHP system
Version:
Development/Staging
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sgarrity, Unassigned)

References

(
URL
)

Details

(Whiteboard: [kb=1569529] )

Attachments

(5 files)

bug-1090468-remove-sec.diff
2.91 MB, patch
pmac
: review+
Details | Diff | Splinter Review
status.txt
30.45 KB, text/plain
Details
PR to add hall-of-fame page
44 bytes, text/x-github-pull-request
Details | Review
PR to redirect to archived security pages
44 bytes, text/x-github-pull-request
Details | Review
bug-1090468-remove-sec2.diff
817.67 KB, patch
pmac
: review+
Details | Diff | Splinter Review 
Now that the /security migration to bedrock from Bug 1026184 is in place, most (or all?) of the pages in the /security dir in SVN can be deleted. See: http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/security/
Whiteboard: [kb=1569529]
pmac, this patch removes all of the /security/ files that are already redirected to bedrock. This leaves behind only a handful of files that we can deal with next. The patch is huge, but it's remove-only. I'll also attach an 'svn status' summary for an easier review of the removed-files.
Attachment #8522258 - Flags: review?(pmac)
Attached file status.txt 
Here's the svn summary of files removed in the patch.
(In reply to Steven Garrity [:sgarrity] from comment #3)
> After the patch in Comment #1 is applied, we'll be left with the following
> pages in /security/ in the old SVN dir.
> 
> Who can I get to help decide what to do with these pages?

I believe that would be Al Billings and Dan Veditz.
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
Yes, that is me and Dan. We're happy to move them to Github though I think we're both worried about losing our ability to commit changes. Right now, we have full checkin authority for /security pages.
Flags: needinfo?(abillings)
(In reply to Al Billings [:abillings] from comment #5)
> Yes, that is me and Dan. We're happy to move them to Github though I think
> we're both worried about losing our ability to commit changes. Right now, we
> have full checkin authority for /security pages.

I'm happy to give you both commit access to the repo as long as you agree not to just push stuff to the master branch. None of us push any code without a pull request and code review. Submitting a pull-request and asking for code review is something anyone in the world can do, and none of us would question you on content, but we do sometimes catch coding mistakes and we like to keep some track of what's coming into master so that we can plan pushes to production.

The thing about some of the above files is that some are very old and out of date. Some of the information is clearly no longer relevant. So I think for now the decision to be made is for each one should it be ported to bedrock, archived as is to our archive along with a redirect, or just deleted.
Flags: needinfo?(jbertsch)
For the  http://www.mozilla.org/security/hall-of-fame.html page, may I suggested we move it to:

https://www.mozilla.org/security/bug-bounty/hall-of-fame/

I'm not able to find any links to the hall-of-fame page in bedrock or in any of the mozilla.org SVN repo. If we're bothering to keep the page, maybe we should add a link from the /security/bug-bounty/ page to this hall-of-fame page?

Another option would be to add the hall-of-fame page content to the bottom of the /security/bug-bounty/ page in bedrock. We could add each year section as a collapsed disclosure element that is opened on click. For an example of this, see the FAQ section of this page: https://www.mozilla.org/en-US/firefox/dnt/

I would lean toward this latter option, but I'm fine with either.

:dveditz, let me know your preference (thanks).
Flags: needinfo?(dveditz)
The hall of fame page is brand new and being actively discussed and worked on. That's why you're not finding it linked as of yet. 

I'd like the hall of fame page to be a separate page but having it under the bug bounty would be fine by me. Collapsable would be nice. The fellow working on it, rforbes, isn't a web designer. He's a fuzzing team member.
Comment on attachment 8522258 [details] [diff] [review]
bug-1090468-remove-sec.diff

Review of attachment 8522258 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good. Thanks Steven.
Attachment #8522258 - Flags: review?(pmac) → review+
(In reply to Daniel Veditz [:dveditz] from comment #8)
> Keep (at current location)
> > http://www.mozilla.org/security/transition.txt

We've moved this to bedrock and it now lives here:

https://www.mozilla.org/media/security/transition.txt

I believe we can safely remove the old file in SVN as the new security index page now links to the above URL. If however there are links out there to the old location we can add a redirect to the new one. Do you think that's necessary Dan?
(In reply to Steven Garrity [:sgarrity] from comment #1)
> Created attachment 8522258 [details] [diff] [review]
> bug-1090468-remove-sec.diff

Applied in trunk in r135176.

 789 files changed, 77637 deletions(-)
(In reply to Steven Garrity [:sgarrity] from comment #9)
> For the  http://www.mozilla.org/security/hall-of-fame.html page, may I
> suggested we move it to:
> 
> https://www.mozilla.org/security/bug-bounty/hall-of-fame/

That seems reasonable. It's a work in progress and has no links. In fact there's been some discussion about whether that's the right name (are we going to combine client and web bounties on one document, or have different names for each?), which we wanted to resolve before handing out links.

> Another option would be to add the hall-of-fame page content to the bottom
> of the /security/bug-bounty/ page in bedrock.

I don't want to do that. Let's keep it as a separate document.

> We've moved this to bedrock and it now lives here:
>
> https://www.mozilla.org/media/security/transition.txt

Why /media/? Will that affect our ability to change that page should we need to transition our key again?
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #14)
> Why /media/? Will that affect our ability to change that page should we need
> to transition our key again?

It's only /media/ because that happens to be the path where Apache is pointed to serve up static content from the bedrock repo. It does not affect our ability to update it in any way. The content is in git[0] and can be changed at will.

[0] https://github.com/mozilla/bedrock/blob/master/media/security/transition.txt
If we'd rather keep the old URL we can, it's just a matter of serving the file in a different way, but it's not hard.
This PR adds the hall-of-fame page at /security/bug-bounty/hall-of-fame/

We can change the URL if the 'hall-of-fame' page name changes.
(In reply to Daniel Veditz [:dveditz] from comment #8)
> Unknown
> > http://www.mozilla.org/security/activemixedcontent.html
> 
> The last one could be there because it's referenced from our blog. Tanvi
> would know.

I haven't referenced this in a blog.
Flags: needinfo?(tvyas)
(In reply to Steven Garrity [:sgarrity] from comment #17)
> Created attachment 8527729 [details] [review]
> PR to add hall-of-fame page
> This PR adds the hall-of-fame page at /security/bug-bounty/hall-of-fame/

This page has landed in bedrock and will go into production with the next push.

I presume we don't need a redirect from the old /security/hall-of-fame.html URL, as it wasn't linked to and may change. Please let me know if this is incorrect.
Here's the PR that adds redirects to the security pages that have been moved to the archive.
(In reply to Tanvi Vyas [:tanvi] from comment #18)
> (In reply to Daniel Veditz [:dveditz] from comment #8)
> > Unknown
> > > http://www.mozilla.org/security/activemixedcontent.html
> > 
> > The last one could be there because it's referenced from our blog. Tanvi
> > would know.
> 
> I haven't referenced this in a blog.

I've done some searching and I can't find any references to this activemixedcontent.html file in the wiki, devmo, or mozilla.org sites.

I propose we remove the file. If it turns out it needs to come back, we can retrieve it from SVN history.
Daniel, before we remove /security/transition.txt from SVN, do we need to add a redirect to the /media/security/transition.txt or is it ok to move to the new URL without a redirect? Thanks.
Flags: needinfo?(dveditz)
This patch removes the remaining /security/ files from SVN, except for the transition.txt
Attachment #8532101 - Flags: review?(pmac)
There's another set of pages at /projects/security/ in SVN that we'd like to clean out.

These pages are already redirected or broken, and I will remove

 http://www.mozilla.org/projects/security/known-vulnerabilities.html
 http://www.mozilla.org/projects/security/membership-policy.html
 http://www.mozilla.org/projects/security/older-vulnerabilities.html
 http://www.mozilla.org/projects/security/secgrouplist.html
 http://www.mozilla.org/projects/security/security-bugs-policy.html
 http://www.mozilla.org/projects/security/tld-idn-policy-list.html

This file was added in 2006 by dveditz and hasn't been touched since, I presume it can go?

 http://www.mozilla.org/projects/security/utf7xss.html

This page is still alive - should it be ported? Can we just redirect it to /security/ ?

 http://www.mozilla.org/projects/security/index.html
(In reply to Steven Garrity [:sgarrity] from comment #25)
> 
> This file was added in 2006 by dveditz and hasn't been touched since, I
> presume it can go?
> 
>  http://www.mozilla.org/projects/security/utf7xss.html
This looks like an example of how to perform an xss attack on a site where the character set isn't specified.  Not sure if this works on any modern browsers anymore.

> 
> This page is still alive - should it be ported? Can we just redirect it to
> /security/ ?
> 
>  http://www.mozilla.org/projects/security/index.html

Not sure if this page is up to date.  Dan?
(In reply to Steven Garrity [:sgarrity] from comment #23)
> Daniel, before we remove /security/transition.txt from SVN, do we need to
> add a redirect to the /media/security/transition.txt or is it ok to move to
> the new URL without a redirect? Thanks.

Please add a redirect, as it's been linked to via e-mails for a while now. Thanks!
Flags: needinfo?(dveditz)
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/e58be282c3b2fb67bca6e5832534d7bf0c339299
Bug 1090468: Move transition.txt to original url.

https://github.com/mozilla/bedrock/commit/f8bf68e5999a7ed75b779f47085d59236f3adf10
Merge pull request #2576 from pmclanahan/move-transition-txt-1090468

Bug 1090468: Move transition.txt to original url.
(In reply to Reed Loden [:reed] from comment #27)
> Please add a redirect, as it's been linked to via e-mails for a while now.
> Thanks!

The above merge in comment #28 moves the transition.txt back to its original URL (it will still work at the new one as well if someone got that one in the interim). Should go to production today.
Attachment #8532101 - Flags: review?(pmac) → review+
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/7bd1296e808ba7287b7de27f8a1f39e5810190ca
Redirect to archived security pages
Bug 1090468

https://github.com/mozilla/bedrock/commit/1950401b72f6eda8ae25b300ea98b57b42d96e85
Merge pull request #2550 from sgarrity/bug-1090468-security-archive-redirects

Bug 1090468: Redirect to archived security pages
I believe this is all done. Please reopen if we're still missing things.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: