Closed Bug 1384024 Opened 2 years ago Closed 2 years ago

Google API key missing from try OS X 10.10 opt build

Categories

(Firefox Build System :: General, enhancement)

enhancement
Not set

Tracking

(firefox56 fixed)

RESOLVED FIXED
mozilla56
Tracking Status
firefox56 --- fixed

People

(Reporter: tnguyen, Assigned: francois)

References

Details

(Whiteboard: [google-api-safe-browsing])

Attachments

(1 file)

The key shows "try-build-has-no-secrets" and will break google safe browsing update
Summary: Google API key missing from OS X 10.10 opt build → Google API key missing from try OS X 10.10 opt build
Assignee: nobody → francois
Status: NEW → ASSIGNED
Comment on attachment 8890108 [details]
Bug 1384024 - Make Google API key available on Try for artifact and Mac cross builds.

https://reviewboard.mozilla.org/r/161192/#review166584

::: testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py:26
(Diff revision 1)
>      # decides whether we want to use moz_sign_cmd in env
>      'enable_signing': True,
>      'secret_files': [
>          {'filename': '/builds/gapi.data',
>           'secret_name': 'project/releng/gecko/build/level-%(scm-level)s/gapi.data',
> -         'min_scm_level': 2, 'default': 'try-build-has-no-secrets'},
> +         'min_scm_level': 1},

This alone won't do it -- the secret will also need to be made available to level-1 builds.  And there's the rub: this API key is intended to be available to trusted developers - those with level-2 or level-3 access.

If that has changed, then we should just check the API key into the tree and dispense with the secret-fetching -- but such a change is above my pay grade.

It's worth noting that this is not just artifact and cross-compile builds -- the API key is not available to any tasks from level-1 repos.
Attachment #8890108 - Flags: review?(dustin) → review-
(In reply to Dustin J. Mitchell [:dustin] from comment #3)
> This alone won't do it -- the secret will also need to be made available to
> level-1 builds.

Is it not already available on level-1 builds?

I simply copied the config we use on linux64 and linux32 already:

https://searchfox.org/mozilla-central/rev/8a61c71153a79cda2e1ae7d477564347c607cc5f/testing/mozharness/configs/builds/releng_base_linux_32_builds.py#49
https://searchfox.org/mozilla-central/rev/8a61c71153a79cda2e1ae7d477564347c607cc5f/testing/mozharness/configs/builds/releng_base_linux_64_builds.py#48

(This was added in bug 1330253.)
Flags: needinfo?(dustin)
Hm, someone added it for level 1.  Any idea who that was?  There's no point having a secret that everyone has access, to, so at this point we should just put the key in-tree.
Flags: needinfo?(dustin)
Comment on attachment 8890108 [details]
Bug 1384024 - Make Google API key available on Try for artifact and Mac cross builds.

https://reviewboard.mozilla.org/r/161192/#review166584

> This alone won't do it -- the secret will also need to be made available to level-1 builds.  And there's the rub: this API key is intended to be available to trusted developers - those with level-2 or level-3 access.
> 
> If that has changed, then we should just check the API key into the tree and dispense with the secret-fetching -- but such a change is above my pay grade.
> 
> It's worth noting that this is not just artifact and cross-compile builds -- the API key is not available to any tasks from level-1 repos.

Wow, I'm sorry, I totally spaced out.  We talked about this a month ago, and I added that secret.  So this is fine in that the API key isn't really "hidden" per se (it's easy to extract from the binary) but putting it in the source code would be failing to pretend to protect it.
Comment on attachment 8890108 [details]
Bug 1384024 - Make Google API key available on Try for artifact and Mac cross builds.

https://reviewboard.mozilla.org/r/161192/#review166862
Attachment #8890108 - Flags: review- → review+
Pushed by fmarier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a6bd93dfdbd8
Make Google API key available on Try for artifact and Mac cross builds. r=dustin
https://hg.mozilla.org/mozilla-central/rev/a6bd93dfdbd8
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Whiteboard: [google-api-safe-browsing]
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.