Closed Bug 1454141 Opened 6 years ago Closed 6 years ago

Flip langpack signing pref to true and don't allow overrides on release or beta

Categories

(Toolkit :: Add-ons Manager, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 61+ verified
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 blocking verified

People

(Reporter: aswan, Assigned: aswan)

References

Details

Attachments

(2 files)

I believe this is the last step for but 1197876 but waiting for QA sign-off before actually making the change.
Just adding a note, as Relman requested that we make more clear what prefs we are tracking for which releases.  

Flipping the final pref to ride to Beta and Release with 61 will happen after QA signs off.  

the change will be switching extensions.langpacks.signatures.required to true
Assignee: nobody → aswan
Priority: -- → P2
Testing this on Firefox 60.0b12 and 60.0b13 for Signing language packs is complete, no new issues were found.(On Windows 10 64Bit, Mac OS 10.13.3, Ubuntu 16.04 LTS)
Attachment #8969790 - Flags: review?(kmaglione+bmo)
Comment on attachment 8969790 [details]
Bug 1454141 Require language packs to be signed

https://reviewboard.mozilla.org/r/238626/#review244344
Attachment #8969790 - Flags: review?(kmaglione+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/616ab4435c15
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Reminder to myself to request uplift for ESR 60.1 once the appropriate flag appears in bugzilla
Flags: needinfo?(aswan)
[Tracking Requested - why for this release]:
Comment on attachment 8969790 [details]
Bug 1454141 Require language packs to be signed

(note this request is for 60.1, not the initial ESR60)

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
This is the last part of bug 1197876, requiring language packs to be signed by default

User impact if declined: 
The specific vulnerability from https://bugzilla.mozilla.org/show_bug.cgi?id=1197876#c0 no longer exists, but this protects us from any future vulnerabilities that may be found in language packs

Fix Landed on Version:
61

Risk to taking this patch (and alternatives if risky): 
The main risk is that some language packs fail to install or work correctly.  However, this has been manually tested by QA (https://bugzilla.mozilla.org/show_bug.cgi?id=1454141#c2) and additionally the build-time flag MOZ_REQUIRE_SIGNING is false for ESR meaning that users can flip the preference extensions.langpacks.signatures.required to override the default setting if necessary.

String or UUID changes made by this patch: 
none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Flags: needinfo?(aswan)
Attachment #8969790 - Flags: approval-mozilla-esr60?
Retested and verified in Firefox 61.0a1 (20180504100129)(on Windows 10 64Bit, Mac OS 10.13.3, Ubuntu 16.04 LTS).
Retested and verified in Firefox 61.0a1 (20180504100129)(on Windows 10 64Bit, Mac OS 10.13.3, Ubuntu 16.04 LTS).
Status: RESOLVED → VERIFIED
Comment on attachment 8969790 [details]
Bug 1454141 Require language packs to be signed

enforce signed langpacks on 60.1esr
Attachment #8969790 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
I tested this on Window 10 x64, OSX 10.13 and Ubuntu 16.04 and it is verified as fixed on the latest nightly (62.0a1) and beta (61.0b8). But still reproducible on esr 60.0.1.

On esr 60.0.1, extensions.langpacks.signatures.required is still set to false by default.  On Nightly and beta, the pref is set to true by default.

one of my  esr test environments:
-------------------------------
Version  60.0.1
Build ID  20180516032417
Update History  
Update Channel  esr
User-Agent  Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
This is shipping in ESR 60.1, not 60.0.1. You'll need to test a CI build to verify there.
Flags: needinfo?(amasresha)
Tested this with the latest builds from treeherder and it is verified as fixed on the esr [60.1].
extensions.langpacks.signatures.required is set to true by default.
Flags: needinfo?(amasresha)
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.