Closed Bug 1216242 Opened 10 years ago Closed 6 years ago

Decommission Security Assurance bugzilla product

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Assigned: gene)

References

Details

Steps * Work with the fuzzing team to move their reviews from Security Assurance:Review Request to somewhere else * Have the project kickoff form ( https://bugzilla.mozilla.org/form.moz-project-review ) use a different product/component * Rename or Delete Security Assurance product
Emailed the :abillings :gkw and :decoder Hi fellow users of the Security Assurance bugzilla product, Currently the fuzzing team creates and works tickets in the "Security Assurance : Review Request" bugzilla product/component area. The project kickoff form ( https://bugzilla.mozilla.org/form.moz-project-review ) also submits tickets into this queue. The Security Assurance team stopped existing a few years ago. We (Enterprise Information Security) would like to decommission the "Security Assurance" bugzilla product because it frequently confuses users and security issues get filed in this product and ignored since nobody other than your team works in this product. Does the fuzzing team have a Bugzilla product that you work in that a component could be added to for your reviews? -Gene
:jeff, where do you think we should have the project kickoff form changed to submit things to instead of Security Assurance : Review Request? You can see examples here : https://bugzilla.mozilla.org/buglist.cgi?order=Bug%20Number&list_id=12622293&short_desc=Security%20Review%3A%20&resolution=---&query_format=advanced&short_desc_type=casesubstring&component=Security%20Assurance%3A%20Review%20Request&product=mozilla.org
Flags: needinfo?(jbryner)
Enterprise Information Security has the same component
Flags: needinfo?(jbryner)
Depends on: 1216320
I got no response from the fuzzing team and emailed them a second time.
Depends on: 1221676
I got the details from the fuzzing team on the new bugzilla product they want and have requested it in Bug 1221676. Once that's created either the existing tickets in Security Assurance will need to be moved into their queue or the whole product needs to move to Graveyard. :jeff What do you think we should do with the existing review tickets? https://bugzilla.mozilla.org/buglist.cgi?list_id=12658422&query_format=advanced&component=Security%20Assurance%3A%20Review%20Request&product=mozilla.org Just move the whole product to Bugzilla graveyard? https://wiki.mozilla.org/BMO/RetiringComponents#Moving_a_component_into_the_Graveyard Or seperate out the fuzzing team's tickets and the old security review tickets and move them into their new respective products?
Flags: needinfo?(jbryner)
If they can move them into 'core' as Al suggested that seems like the best? Are we on the hook for that or he fuzzing team?
Flags: needinfo?(jbryner)
I've opened the ticket to request creation of a new component under Core for the fuzzing team. If they wanted to move their old tickets to their new queue it would be something they or the bugzilla team would need to do. What do you think we should do with the *non-fuzzing-team* tickets? Graveyard? Migrate to EIS : Review?
Jeff, what do you think we should do with the *non-fuzzing-team* tickets in Security Assurance? Graveyard? Migrate to EIS : Review?
Flags: needinfo?(jbryner)
Do they need to graveyard to remove the component? If they are fixed things and they need to stay somewhere for history, then I guess I'd say graveyard them. If there are unresolved things, I'd error on the site of resolve/invalid and prompt the submitter for a resubmit if it still needs to be attended to.
Flags: needinfo?(jbryner)
The moz-project-review form was updated (long ago) to no longer user security assurance https://github.com/mozilla-bteam/bmo/commit/d1b6f1d78bdcde363cbcc80c4e589742819a4e24 It looks like there's still some code which creates a bug in security assurance https://github.com/mozilla-bteam/bmo/blob/badbd773911cfa713f20813ead0f0c005fd41fe0/extensions/BMO/Extension.pm#L1855-L1959 But it looks like a code path that isn't exercised
I've emailed reporters and assignees of bugs in the Security Assurance bugzilla product (that still work here) asking them their preference on what to do with the existing open bugs.
Talked to the folks and they'd like to revisit this in April. I've setup a calendar item to come back to this ---------- Forwarded message ---------- From: Daniel Veditz Date: Thu, Mar 16, 2017 at 4:48 PM Subject: Re: Security Assurance github product Let's do that (come back in April), after Paul and I get a chance to talk about what we need to keep going forward and where we want to put it. I'm sure it won't be "mozilla.org", but it's unclear whether it will fit in the existing Core / Firefox products or if we need something else. Looking at the mix of bugs in there I'm fairly sure we'll want to move individual bugs rather than rename the existing components wholesale. -Dan Veditz
:dveditz, Now that Q1 is finished, did you and Paul get a chance to talk about how you want to proceed? And for context, I'm not trying to nag, just want to prevent people from opening operational security bugs in an area where we won't see them.
Flags: needinfo?(dveditz)
Filed bug 1355659 to get a new component for the bits we want to keep as part of the new Platform Integrity Security team. When that's been created we can move the bugs that are still valid and then graveyard the rest. There are a bunch of still-active "SecMap" bugs. Those should be moved elsewhere as appropriate: to the Enterprise Information Security product, Cloud Security, Release Engineering or Firefox build/config components, etc.
Flags: needinfo?(dveditz)
Depends on: 1533850

Looks like we're good now and these components can be disabled. I've requested it in Bug 1533850

:dveditz
I've had the bug component disabled so no new bugs can come in. There remain 175 bugs open in the component. If you'd like those graveyarded feel free to request it from :dkl otherwise they'll just say as they are.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.