Currently, anyone with the right permission can make a change to Balrog. This means that if someone's account is compromised (particularly someone with admin permissions), they can affect updates. We want to mitigate this by requiring dual sign off for some types of changes to Balrog. The exact scope of what should require dual sign off is undecided, but it could be any of: - Dual sign off for any change done by a human - Dual sign off for any change for certain product+channel combinations (eg: Firefox, release) - Dual sign off for all changes, period. - Something else. Implementation is to be determined, but it could tie into some existing or other desired work, including: - Can/should we implement dual sign off as a special type of Scheduled Change. - Should we think about implementing a rule change sandbox at the same time (https://bugzilla.mozilla.org/show_bug.cgi?id=1141801) - Should we think about introducing sets of rule changes at the same time? Possibly related to the sandbox. I don't want this to spiral out of control into a panacea, but at least thinking about how dual sign off may fit into the above is worthwhile to avoid boxing ourselves in.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1278974
You need to log in before you can comment on or make changes to this bug.