Closed Bug 1271440 Opened 9 years ago Closed 9 years ago

Allow the shared engineering automation signing key to sign experiment addons

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kats, Unassigned)

Details

In order to deploy a telemetry experiment [1], the experiment addon needs to be signed. We have an existing setup to sign addons for automation [2] using a shared engineering key. What I would like is for this shared engineering key to be usable to also sign experiment addons - currently it does not have permission to do so. (At least it didn't back in February when I tried [3]). After talking with :andym on IRC he suggested I file a bug to get this access, assuming bsmedberg approves it. (ni to :bsmedberg for this). If this shared key doesn't get permission to sign experiment addons, then the signing step is basically not automatable, because either we need post the XPI somewhere and ask somebody to sign it, or we need to file a bug and get individual permission to sign the XPI. Both of these are annoying and add overhead to the telemetry experiment process which is intended to be lightweight. [1] https://wiki.mozilla.org/Telemetry/Experiments [2] https://wiki.mozilla.org/EngineeringProductivity/HowTo/SignExtensions [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1251052#c26
Flags: needinfo?(benjamin)
I'm going to turn this question back on Andy. Ideally what I'd like is for anyone with level 3 hg access to be able to sign these addons, but not necessarily anyone with LDAP/mana. I don't know whether that's possible.
Flags: needinfo?(benjamin) → needinfo?(amckay)
Its possible, assuming there is an API or other method to allow AMO to query the mercurial servers (or whatever maintains the list of L3 users) and try to connect the authenticated Firefox Account (what we use for authentication on AMO) and return that information. Of course if Firefox Accounts already has implemented this for us and we can just use it... that's easy. I would question if that is worth it, because telemetry experiment signing is rare (at the moment) and in the past such systems are fragile and require lots of maintenance for a limited number of users. That would require exploration and developer time to do and might be out of the time scope that Kartikaya has for completing their work.
Flags: needinfo?(amckay)
While it would be nice to get this done sooner rather than later, I'm not strictly speaking blocked on this. I think it would be worth doing even if it doesn't happen right away.
I chatted to bsmedberg about this and we agreed for the moment just to give you access Kartikaya. Could you tell me what Firefox Account you sign into addons.mozilla.org with?
Flags: needinfo?(bugmail.mozilla)
I use kgupta@m.c - however, giving me access doesn't really solve the wider problem, so I hope you won't consider this bug fixed at that point.
Flags: needinfo?(bugmail.mozilla)
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #5) > I use kgupta@m.c - however, giving me access doesn't really solve the wider > problem, so I hope you won't consider this bug fixed at that point. Sorry for the delay. You should now have permissions. You might be first person to do this, so if it works please let me know. I don't know what the solution for this bug is because the proposed solutions (using the mana account or the level 3 hg access) are not acceptable to either party. If you think this bug should be moved forward, then you might want to move to another module or do something else with it.
Ok if we've decided that we definitely *don't* want that it probably makes sense to close this bug. If I think of some other approach that makes sense I'll file another bug for it.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.