Closed
Bug 1435609
Opened 7 years ago
Closed 7 years ago
Stop sending cert blocklist items as part of blocklist.xml / kinto-blocklist / etc.
Categories
(Toolkit :: Blocklist Policy Requests, enhancement)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | affected |
People
(Reporter: Gijs, Assigned: Gijs)
References
Details
In bug 1359428, the blocklist code was updated to remove importing of certItems, because we now use OneCRL. We had been using OneCRL for a while, but there was a pref to switch back to the blocklist-based code which was removed there. However, all the certItems are still sent, and make up approximately half the total size of the blocklist. Because we can't be sure if enterprises using 52 or earlier have flipped the pref, I'm guessing we need to keep the items for 57 and below. In this bug (and/or corresponding github entry) I intend to change the server-side to stop sending these items for 58+, based on the app ID and version in the URI of the request.
|
||
Comment 1•7 years ago
|
||
In ESR, security.onecrl.via.amo defaults to false. I think the probability of anyone having touched this pref is close to zero. My suggestion is that we just get rid of these entries for all versions.
|
Assignee | |
Comment 2•7 years ago
|
||
(In reply to Mark Goodwin [:mgoodwin] from comment #1) > In ESR, security.onecrl.via.amo defaults to false. I think the probability > of anyone having touched this pref is close to zero. My suggestion is that > we just get rid of these entries for all versions. Fantastic. I think this is something Andreas or someone else with the right powers over our DBs can do? Andreas, is that right? Does anyone else need to sign off on that?
Flags: needinfo?(awagner)
|
|
Assignee | |
Updated•7 years ago
|
Summary: Stop sending cert blocklist items to Firefox 58+ → Stop sending cert blocklist items as part of blocklist.xml / kinto-blocklist / etc.
|
||
Comment 3•7 years ago
|
||
I started the query. Due to the lack of indexation, it will take about a week until I have the results. Keeping NI so I don't forget.
|
|
Assignee | |
Comment 5•7 years ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #3) > I started the query. Due to the lack of indexation, it will take about a > week until I have the results. Keeping NI so I don't forget. OK, so per IRC: I'm *not* asking to see how many add-ons touch this pref. I would like to remove all the certificate items from the kinto-based blocklist.xml . If it's possible to do so by disabling them (rather than removing from the DB) that is probably preferable, but the desired outcome of this bug is that the `<certItems>` block in the blocklist's XML output is either empty or disappears completely. Andreas requested forwarding this to Jorge.
Flags: needinfo?(jorge)
|
|
Assignee | |
Comment 6•7 years ago
|
||
(In reply to :Gijs from comment #5) > (In reply to Andreas Wagner [:TheOne] [use NI] from comment #3) > > I started the query. Due to the lack of indexation, it will take about a > > week until I have the results. Keeping NI so I don't forget. > > OK, so per IRC: I'm *not* asking to see how many add-ons touch this pref. > > I would like to remove all the certificate items from the kinto-based > blocklist.xml . If it's possible to do so by disabling them (rather than > removing from the DB) that is probably preferable, but the desired outcome > of this bug is that the `<certItems>` block in the blocklist's XML output is > either empty or disappears completely. Andreas requested forwarding this to > Jorge. ... all of this on the assumption that we can kill these items in a way that removes them from blocklist.xml but not from OneCRL. Mark, how does this work server-side - do they share a db or not? :-)
Flags: needinfo?(mgoodwin)
|
||
Comment 7•7 years ago
|
||
If that's what you want, I guess the best way is to disable it inside the kinto-amo plugin: https://github.com/mozilla-services/kinto-amo/ Because the database of the XML file is shared with the current OneCRL one.
Flags: needinfo?(jorge)
|
|
||
Updated•7 years ago
|
Flags: needinfo?(mgoodwin)
|
|
Assignee | |
Updated•7 years ago
|
|
|
Assignee | |
Comment 8•7 years ago
|
||
https://github.com/mozilla-services/kinto-amo/pull/23 and https://github.com/mozilla-services/amo2kinto/pull/75 have both landed. This is now only waiting on kinto-dist being updated on the production blocklist service.
|
|
Assignee | |
Comment 9•7 years ago
|
||
This has all landed and is fixed on stage ( compare https://settings.stage.mozaws.net/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/46.0/ vs. https://settings.stage.mozaws.net/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/58.0/ )
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•