Closed Bug 1285871 (kinto-dist-0.6.0-stage) Opened 5 years ago Closed 5 years ago

Please deploy kinto-dist 0.6.0 release to kinto-settings STAGE


(Cloud Services :: Operations: Deployment Requests - DEPRECATED, task)

Not set


(Not tracked)



(Reporter: rhubscher, Assigned: dmaher)



The major interest in this feature is to prevent CDN to reuse previous signatures replay attacks.

@chartjes: The script to validate the new form of signature is here:
The package build failed because the "pyldap" module could not be compiled.  This appears to be a new element introduced in 0.6.0.

02:05:18 < phrawzty> natim: pyldap. is that a new dep for 0.6.0 ?
02:14:55 < natim> phrawzty: Oh that's because kinto-dist comes with kinto-ldap
02:15:18 < natim> phrawzty: we won't enable it right away
02:15:35 < natim> But we can add the dependencies to be able to install it
02:15:44 < natim> See
02:16:15 < phrawzty> natim: To be clear, are you currently using the kinto-ldap
                     module ?
02:17:07 < natim> What do you mean by currently?
02:17:10 < natim> Currently we are not
02:17:20 < natim> But that's something we want to deploy yes

The installation instructions at the provided URL assume a Debian-based target.  Currently investigating CentOS options.
Dependencies were identified and appropriate modifications were made to the build script[0].

Kinto-dist 0.6.0 has been deployed to Stage for both Kinto and Kinto-Writer.

Great thanks Dan. I ran the validate_signature script and it seems to work:

On commit 34175ee37d2951579bd22e59e79b8c9ff5c644e2
~/mozilla/kinto-signer/scripts$ python 
Signature OK

We need to wait for Mark patch to land in mozilla-central before going with this change in production.
Flags: needinfo?(mgoodwin)
In the meantime, Chris we can do some more QA if you'd like.
Closed: 5 years ago
Resolution: --- → FIXED
Ok mgoodwin told me we just need Bug 1285871 to land (there is already a r+ on it)
Flags: needinfo?(mgoodwin)
We are talking about Bug 1280877.
Depends on: 1280877

* verified that 'QA cert' in staging contained expected values by looking at
* updated 'QA cert' using and changed the issuer and serial number
* requested that :phrawzty activate the xml2kinto job to move the blocklist details into Kinto
* verified that 'QA cert' in staging contained newly updated values by
* verified that 'QA cert' is also correctly updated at
* no indication that the updated certificates have not been correctly signed. No certificates with the status of waiting to be signed.
* validation script provided as part of Kinto/kinto-signer indicates all signatures are correct

QA approves the deployment to staging and gives permission for deployment to production of kinto-dist 0.6.0
You need to log in before you can comment on or make changes to this bug.