Closed
Bug 1187966
Opened 9 years ago
Closed 9 years ago
Automated HSTS/HPKP/blocklist updates broken on trunk
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox40 | --- | unaffected |
firefox41 | --- | unaffected |
firefox42 | --- | affected |
firefox-esr38 | --- | unaffected |
People
(Reporter: RyanVM, Assigned: coop)
Details
Attachments
(2 files)
5.32 KB,
patch
|
nthomas
:
review+
coop
:
checkin+
|
Details | Diff | Splinter Review |
1.57 KB,
patch
|
nthomas
:
review+
coop
:
checkin+
|
Details | Diff | Splinter Review |
Looks like GTK3 fallout? http://people.mozilla.org/~coop/hsts_failures/central-failure-july25.log INFO: Generating new HSTS preload list... INFO: Running "LD_LIBRARY_PATH=. ./xpcshell /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js /builds/slave/m-cen-l64-periodicupdate-00000/" ./xpcshell: error while loading shared libraries: libcairo-gobject.so.2: cannot open shared object file: No such file or directory
Flags: needinfo?(mh+mozilla)
Comment 1•9 years ago
|
||
The environment running this job obviously doesn't have gtk3 installed.
Flags: needinfo?(mh+mozilla)
Reporter | ||
Comment 2•9 years ago
|
||
Thanks for the helpful reply. Any ideas who might be able to assist in getting this security process unbroken?
Flags: needinfo?(coop)
Assignee | ||
Comment 3•9 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #2) > Thanks for the helpful reply. Any ideas who might be able to assist in > getting this security process unbroken? Well, it's probably going to be me.
Assignee: nobody → coop
Flags: needinfo?(coop)
Assignee | ||
Comment 4•9 years ago
|
||
I mucked around with this on a dev slave and managed to get it working. Since we only need xpcshell and not a fully functional browser context, I was able to download the gtk3 tarball via tooltool and then get the periodic_update script working by setting the LD_LIBRARY_PATH. Should have a patch tomorrow, and I can always run it by hand if we need the in-tree updates sooner.
Assignee | ||
Updated•9 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•9 years ago
|
||
xpcshell requires gtk3 now, so we download it via tooltool and then set the LD_LIBRARY_PATH.
Attachment #8640779 -
Flags: review?(nthomas)
Assignee | ||
Comment 6•9 years ago
|
||
We inherit the env so we can make use of TOOLTOOL_CACHE.
Attachment #8640783 -
Flags: review?(nthomas)
Assignee | ||
Comment 7•9 years ago
|
||
Here's the job output from these changes running in dry-run mode (-n) in staging. The script returns 2 in dry-run mode if there are updates which is why it's marked as failed. http://dev-master2.bb.releng.use1.mozilla.com:8044/builders/Linux%20x86-64%20mozilla-central%20periodic%20file%20update/builds/0
Updated•9 years ago
|
Attachment #8640779 -
Flags: review?(nthomas) → review+
Updated•9 years ago
|
Attachment #8640783 -
Flags: review?(nthomas) → review+
Assignee | ||
Comment 8•9 years ago
|
||
Comment on attachment 8640783 [details] [diff] [review] [buildbotcustom] Set the env for periodic file update jobs. Review of attachment 8640783 [details] [diff] [review]: ----------------------------------------------------------------- https://hg.mozilla.org/build/buildbotcustom/rev/dc0535892866
Attachment #8640783 -
Flags: checkin+
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8640779 [details] [diff] [review] [tools] Download gtk3 for periodic update script Review of attachment 8640779 [details] [diff] [review]: ----------------------------------------------------------------- https://hg.mozilla.org/build/tools/rev/7a9a79f809aa
Attachment #8640779 -
Flags: checkin+
Assignee | ||
Comment 10•9 years ago
|
||
In production: https://hg.mozilla.org/build/buildbotcustom/rev/dc0535892866
Assignee | ||
Comment 11•9 years ago
|
||
I kicked off a build and it succeeded. Here's the treeherder job triggered by the updates: https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&revision=23e525e2ba35
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•