Closed Bug 1435609 Opened 2 years ago Closed 2 years ago

Stop sending cert blocklist items as part of blocklist.xml / kinto-blocklist / etc.

Categories

(Toolkit :: Blocklist Policy Requests, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox60 --- affected

People

(Reporter: Gijs, Assigned: Gijs)

References

(Blocks 1 open bug)

Details

In bug 1359428, the blocklist code was updated to remove importing of certItems, because we now use OneCRL. We had been using OneCRL for a while, but there was a pref to switch back to the blocklist-based code which was removed there.

However, all the certItems are still sent, and make up approximately half the total size of the blocklist.

Because we can't be sure if enterprises using 52 or earlier have flipped the pref, I'm guessing we need to keep the items for 57 and below.

In this bug (and/or corresponding github entry) I intend to change the server-side to stop sending these items for 58+, based on the app ID and version in the URI of the request.
In ESR, security.onecrl.via.amo defaults to false. I think the probability of anyone having touched this pref is close to zero. My suggestion is that we just get rid of these entries for all versions.
(In reply to Mark Goodwin [:mgoodwin] from comment #1)
> In ESR, security.onecrl.via.amo defaults to false. I think the probability
> of anyone having touched this pref is close to zero. My suggestion is that
> we just get rid of these entries for all versions.

Fantastic. I think this is something Andreas or someone else with the right powers over our DBs can do? Andreas, is that right? Does anyone else need to sign off on that?
Flags: needinfo?(awagner)
Summary: Stop sending cert blocklist items to Firefox 58+ → Stop sending cert blocklist items as part of blocklist.xml / kinto-blocklist / etc.
I started the query. Due to the lack of indexation, it will take about a week until I have the results. Keeping NI so I don't forget.
Sorry, scratch that, I misunderstood the ask.
Flags: needinfo?(awagner)
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #3)
> I started the query. Due to the lack of indexation, it will take about a
> week until I have the results. Keeping NI so I don't forget.

OK, so per IRC: I'm *not* asking to see how many add-ons touch this pref.

I would like to remove all the certificate items from the kinto-based blocklist.xml . If it's possible to do so by disabling them (rather than removing from the DB) that is probably preferable, but the desired outcome of this bug is that the `<certItems>` block in the blocklist's XML output is either empty or disappears completely. Andreas requested forwarding this to Jorge.
Flags: needinfo?(jorge)
(In reply to :Gijs from comment #5)
> (In reply to Andreas Wagner [:TheOne] [use NI] from comment #3)
> > I started the query. Due to the lack of indexation, it will take about a
> > week until I have the results. Keeping NI so I don't forget.
> 
> OK, so per IRC: I'm *not* asking to see how many add-ons touch this pref.
> 
> I would like to remove all the certificate items from the kinto-based
> blocklist.xml . If it's possible to do so by disabling them (rather than
> removing from the DB) that is probably preferable, but the desired outcome
> of this bug is that the `<certItems>` block in the blocklist's XML output is
> either empty or disappears completely. Andreas requested forwarding this to
> Jorge.

... all of this on the assumption that we can kill these items in a way that removes them from blocklist.xml but not from OneCRL. Mark, how does this work server-side - do they share a db or not? :-)
Flags: needinfo?(mgoodwin)
If that's what you want, I guess the best way is to disable it inside the kinto-amo plugin: https://github.com/mozilla-services/kinto-amo/

Because the database of the XML file is shared with the current OneCRL one.
Flags: needinfo?(jorge)
Flags: needinfo?(mgoodwin)
https://github.com/mozilla-services/kinto-amo/pull/23 and https://github.com/mozilla-services/amo2kinto/pull/75 have both landed. This is now only waiting on kinto-dist being updated on the production blocklist service.
This has all landed and is fixed on stage ( compare https://settings.stage.mozaws.net/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/46.0/ vs. https://settings.stage.mozaws.net/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/58.0/ )
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.