Closed Bug 1187966 Opened 9 years ago Closed 9 years ago

Automated HSTS/HPKP/blocklist updates broken on trunk

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox40 --- unaffected
firefox41 --- unaffected
firefox42 --- affected
firefox-esr38 --- unaffected

People

(Reporter: RyanVM, Assigned: coop)

Details

Attachments

(2 files)

[tools] Download gtk3 for periodic update script
5.32 KB, patch
nthomas
: review+
coop
: checkin+
Details | Diff | Splinter Review
[buildbotcustom] Set the env for periodic file update jobs.
1.57 KB, patch
nthomas
: review+
coop
: checkin+
Details | Diff | Splinter Review 
Looks like GTK3 fallout?

http://people.mozilla.org/~coop/hsts_failures/central-failure-july25.log

INFO: Generating new HSTS preload list...
INFO: Running "LD_LIBRARY_PATH=. ./xpcshell /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js /builds/slave/m-cen-l64-periodicupdate-00000/"
./xpcshell: error while loading shared libraries: libcairo-gobject.so.2: cannot open shared object file: No such file or directory
Flags: needinfo?(mh+mozilla)
The environment running this job obviously doesn't have gtk3 installed.
Flags: needinfo?(mh+mozilla)
Thanks for the helpful reply. Any ideas who might be able to assist in getting this security process unbroken?
Flags: needinfo?(coop)
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #2)
> Thanks for the helpful reply. Any ideas who might be able to assist in
> getting this security process unbroken?

Well, it's probably going to be me.
Assignee: nobody → coop
Flags: needinfo?(coop)
I mucked around with this on a dev slave and managed to get it working. Since we only need xpcshell and not a fully functional browser context, I was able to download the gtk3 tarball via tooltool and then get the periodic_update script working by setting the LD_LIBRARY_PATH.

Should have a patch tomorrow, and I can always run it by hand if we need the in-tree updates sooner.
Status: NEW → ASSIGNED
xpcshell requires gtk3 now, so we download it via tooltool and then set the LD_LIBRARY_PATH.
Attachment #8640779 - Flags: review?(nthomas)
We inherit the env so we can make use of TOOLTOOL_CACHE.
Attachment #8640783 - Flags: review?(nthomas)
Here's the job output from these changes running in dry-run mode (-n) in staging. The script returns 2 in dry-run mode if there are updates which is why it's marked as failed.

http://dev-master2.bb.releng.use1.mozilla.com:8044/builders/Linux%20x86-64%20mozilla-central%20periodic%20file%20update/builds/0
Attachment #8640779 - Flags: review?(nthomas) → review+
Attachment #8640783 - Flags: review?(nthomas) → review+
Comment on attachment 8640783 [details] [diff] [review]
[buildbotcustom] Set the env for periodic file update jobs.

Review of attachment 8640783 [details] [diff] [review]:
-----------------------------------------------------------------

https://hg.mozilla.org/build/buildbotcustom/rev/dc0535892866
Attachment #8640783 - Flags: checkin+
Comment on attachment 8640779 [details] [diff] [review]
[tools] Download gtk3 for periodic update script

Review of attachment 8640779 [details] [diff] [review]:
-----------------------------------------------------------------

https://hg.mozilla.org/build/tools/rev/7a9a79f809aa
Attachment #8640779 - Flags: checkin+
I kicked off a build and it succeeded. Here's the treeherder job triggered by the updates:

https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&revision=23e525e2ba35
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: