Closed Bug 1285871 (kinto-dist-0.6.0-stage) Opened 5 years ago Closed 5 years ago
Please deploy kinto-dist 0
.6 .0 release to kinto-settings STAGE
The major interest in this feature is to prevent CDN to reuse previous signatures replay attacks. See https://github.com/Kinto/kinto-signer/pull/92
@chartjes: The script to validate the new form of signature is here: https://github.com/Kinto/kinto-signer/blob/0.7.0/scripts/validate_signature.py
The package build failed because the "pyldap" module could not be compiled. This appears to be a new element introduced in 0.6.0. 02:05:18 < phrawzty> natim: pyldap. is that a new dep for 0.6.0 ? 02:14:55 < natim> phrawzty: Oh that's because kinto-dist comes with kinto-ldap 02:15:18 < natim> phrawzty: we won't enable it right away 02:15:35 < natim> But we can add the dependencies to be able to install it 02:15:44 < natim> See https://github.com/Kinto/kinto-ldap#dependencies 02:16:15 < phrawzty> natim: To be clear, are you currently using the kinto-ldap module ? 02:17:07 < natim> What do you mean by currently? 02:17:10 < natim> Currently we are not 02:17:20 < natim> But that's something we want to deploy yes The installation instructions at the provided URL assume a Debian-based target. Currently investigating CentOS options.
Dependencies were identified and appropriate modifications were made to the build script. Kinto-dist 0.6.0 has been deployed to Stage for both Kinto and Kinto-Writer.  https://github.com/mozilla-services/svcops/pull/1139
Great thanks Dan. I ran the validate_signature script and it seems to work: On commit 34175ee37d2951579bd22e59e79b8c9ff5c644e2 ~/mozilla/kinto-signer/scripts$ python validate_signature.py Signature OK We need to wait for Mark patch to land in mozilla-central before going with this change in production.
In the meantime, Chris we can do some more QA if you'd like.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Ok mgoodwin told me we just need Bug 1285871 to land (there is already a r+ on it)
We are talking about Bug 1280877.
======================= POST-DEPLOYMENT TESTING ======================= * verified that 'QA cert' in staging contained expected values by looking at https://kinto.stage.mozaws.net/v1/buckets/blocklists/collections/certificates/records * updated 'QA cert' using https://addons.allizom.org/en-US/admin/models/blocklist/blocklistissuercert/ and changed the issuer and serial number * requested that :phrawzty activate the xml2kinto job to move the blocklist details into Kinto * verified that 'QA cert' in staging contained newly updated values by https://kinto.stage.mozaws.net/v1/buckets/staging/collections/certificates/records * verified that 'QA cert' is also correctly updated at https://kinto.stage.mozaws.net/v1/buckets/blocklists/collections/certificates/records * no indication that the updated certificates have not been correctly signed. No certificates with the status of waiting to be signed. * validation script provided as part of Kinto/kinto-signer indicates all signatures are correct QA approves the deployment to staging and gives permission for deployment to production of kinto-dist 0.6.0
You need to log in before you can comment on or make changes to this bug.