Closed
Bug 1384024
Opened 7 years ago
Closed 7 years ago
Google API key missing from try OS X 10.10 opt build
Categories
(Firefox Build System :: General, enhancement)
Firefox Build System
General
Tracking
(firefox56 fixed)
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox56 | --- | fixed |
People
(Reporter: tnguyen, Assigned: francois)
References
Details
(Whiteboard: [google-api-safe-browsing])
Attachments
(1 file)
The key shows "try-build-has-no-secrets" and will break google safe browsing update
Reporter | ||
Updated•7 years ago
|
Summary: Google API key missing from OS X 10.10 opt build → Google API key missing from try OS X 10.10 opt build
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → francois
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•7 years ago
|
||
The reason is that it's set to level 2 (Try is level 1) on Mac cross-builds: https://searchfox.org/mozilla-central/rev/3a3af33f513071ea829debdfbc628caebcdf6996/testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py#26 It's also missing from artifact builds: https://searchfox.org/mozilla-central/rev/3a3af33f513071ea829debdfbc628caebcdf6996/testing/mozharness/configs/builds/releng_sub_linux_configs/64_artifact.py#23
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8890108 [details] Bug 1384024 - Make Google API key available on Try for artifact and Mac cross builds. https://reviewboard.mozilla.org/r/161192/#review166584 ::: testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py:26 (Diff revision 1) > # decides whether we want to use moz_sign_cmd in env > 'enable_signing': True, > 'secret_files': [ > {'filename': '/builds/gapi.data', > 'secret_name': 'project/releng/gecko/build/level-%(scm-level)s/gapi.data', > - 'min_scm_level': 2, 'default': 'try-build-has-no-secrets'}, > + 'min_scm_level': 1}, This alone won't do it -- the secret will also need to be made available to level-1 builds. And there's the rub: this API key is intended to be available to trusted developers - those with level-2 or level-3 access. If that has changed, then we should just check the API key into the tree and dispense with the secret-fetching -- but such a change is above my pay grade. It's worth noting that this is not just artifact and cross-compile builds -- the API key is not available to any tasks from level-1 repos.
Attachment #8890108 -
Flags: review?(dustin) → review-
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #3) > This alone won't do it -- the secret will also need to be made available to > level-1 builds. Is it not already available on level-1 builds? I simply copied the config we use on linux64 and linux32 already: https://searchfox.org/mozilla-central/rev/8a61c71153a79cda2e1ae7d477564347c607cc5f/testing/mozharness/configs/builds/releng_base_linux_32_builds.py#49 https://searchfox.org/mozilla-central/rev/8a61c71153a79cda2e1ae7d477564347c607cc5f/testing/mozharness/configs/builds/releng_base_linux_64_builds.py#48 (This was added in bug 1330253.)
Flags: needinfo?(dustin)
Assignee | ||
Comment 5•7 years ago
|
||
Try looks good: https://treeherder.mozilla.org/#/jobs?repo=try&revision=80b81070b9ec51064a74ae5bf55712197e49393d https://treeherder.mozilla.org/#/jobs?repo=try&revision=f91a9c7dfd78a7fc4841bd97023cdec63eb48b8c
Comment 6•7 years ago
|
||
Hm, someone added it for level 1. Any idea who that was? There's no point having a secret that everyone has access, to, so at this point we should just put the key in-tree.
Flags: needinfo?(dustin)
Comment 7•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8890108 [details] Bug 1384024 - Make Google API key available on Try for artifact and Mac cross builds. https://reviewboard.mozilla.org/r/161192/#review166584 > This alone won't do it -- the secret will also need to be made available to level-1 builds. And there's the rub: this API key is intended to be available to trusted developers - those with level-2 or level-3 access. > > If that has changed, then we should just check the API key into the tree and dispense with the secret-fetching -- but such a change is above my pay grade. > > It's worth noting that this is not just artifact and cross-compile builds -- the API key is not available to any tasks from level-1 repos. Wow, I'm sorry, I totally spaced out. We talked about this a month ago, and I added that secret. So this is fine in that the API key isn't really "hidden" per se (it's easy to extract from the binary) but putting it in the source code would be failing to pretend to protect it.
Comment 8•7 years ago
|
||
mozreview-review |
Comment on attachment 8890108 [details] Bug 1384024 - Make Google API key available on Try for artifact and Mac cross builds. https://reviewboard.mozilla.org/r/161192/#review166862
Attachment #8890108 -
Flags: review- → review+
Pushed by fmarier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a6bd93dfdbd8 Make Google API key available on Try for artifact and Mac cross builds. r=dustin
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/a6bd93dfdbd8
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
Whiteboard: [google-api-safe-browsing]
Updated•6 years ago
|
Product: Core → Firefox Build System
You need to log in
before you can comment on or make changes to this bug.
Description
•