2.16 KB, patch
|Details | Diff | Splinter Review|
4.76 KB, application/octet-stream
8.64 KB, application/x-xpinstall
Follow on to Bug 1328718: Per the SHA-1 Shutoff Plan , we're going to update the system addon's Beta-channel test threshold to 50% for this coming week. The goal would be to include this into Beta 5, so that it lands on 8 February 2017.
Oops, dangling reference:  https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
For those following along: The shut-off is in effect in Beta 3, released today (Friday 3 Feb), and initial telemetry suggests it's working fine. (As of this writing, 28889 beta installations reported the add-on as executing, and 2957 flipped their preference. ) Telemetry at telemetry.mozilla.org hasn't picked up data from today, but we'll look at that before this lands next Wednesday.  https://gist.github.com/jcjones/a73789205b007a57123740776761c50b
Created attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff Going by bug 1312528, the process is maybe supposed to go like so: * get r+ on a patch against the add-on as it is (or would be) in the tree * create an xpi * get the xpi signed * QA the xpi * get approval to land * land
Comment on attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff Review of attachment 8833546 [details] [diff] [review]: ----------------------------------------------------------------- LGTM
Created attachment 8833553 [details] disableSHA1rollout.xpi This is the add-on created from the updated bootstrap.js and install.rdf (although note that I had to base that off the install.rdf that shipped in the add-on in mozilla-beta, since it's post-processed). Judging by bug 1312528 comment 13, Jason is the person to ask to sign an add-on.
Created attachment 8833995 [details] disableSHA1rollout.xpi signed Please see attached.
Thanks! Justin, if you could confirm attachment 8833995 [details] works as expected (it's supposed to disable SHA-1 50% of the time), that would be great. (Note that it looks like Firefox prevents installing the add-on update directly from bugzilla - I had to download it as a file and then open it to get it to work.)
Hey David, Everything looks good on this end. security.pki.sha1_enforcement_level = 0, 1 (manually set) = Opt out security.pki.sha1_enforcement_level = 3 = Test security.pki.sha1_enforcement_level = 4 = Control I never saw a disableSHA1.rollout.cohortSample less than .1 though
Comment on attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff I'm guessing we need to get a beta approval again, despite the gofaster goals, so that Friday's build doesn't drop the % down again, Approval Request Comment [Feature/Bug causing the regression]: SHA-1 deprecation staged rollout [User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1 [Is this code covered by automated tests?]: n/a [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: already done [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not very [Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718. [String changes made/needed]: none
Comment on attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff disable sha1 for more users, beta52+