Closed
Bug 1460321
Opened 6 years ago
Closed 6 years ago
Migrate addons/plugins/gfx content-signature certificate to the main one
Categories
(Toolkit :: Blocklist Implementation, enhancement)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fixed |
People
(Reporter: leplatrem, Assigned: leplatrem)
References
Details
Attachments
(1 file)
In Bug 1450985 we enabled signature verification of addons/plugins/gfx. But it uses the same certificate as onecrl. As discussed in Bug 1438820 and Bug 1460311, we want those 3 collections to use the same certificate as default remote settings. We should take advantage of the fact that verification was enabled in 61 (and thus does not affect stable yet)
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 2•6 years ago
|
||
During the period of time between the landing of the patch and the next beta is released, either Nightly or Beta will have failing signatures: - If we change the server configuration just when this patch lands, then signature validation will be successful in Nightly but will fail on Beta until a new release containing the fix is issued. - If we land this patch but change the server configuration only when a new Beta release containing the fix is issued, then signature validation will fail in Nightly for the whole interval Signature validation failing means that users won't receive addons/plugins/gfx updates. And their browser console will show error messages. :ulfr, do you have any particular advice on how to proceed? Would this be worth releasing a "security fix" beta release to minimize the period of time between the patch landing and the release to be issued? BTW, I never pushed anything to Beta and will probably need help. Also if that helps to decide: the frequency of updates in the blocklists is really low (more or less one change every two weeks in average) Thanks!
Flags: needinfo?(jvehent)
|
||
Comment 3•6 years ago
|
||
I don't have a strong opinion. I think this falls more on the preference of the platform team, so needinfo mark. Ideally, we add code that handles both cases and prevents any release from breaking, and remove that code later on. Failing that, I think breaking nightly is better than breaking beta, but I don't know if that's at all acceptable.
Flags: needinfo?(jvehent) → needinfo?(mgoodwin)
|
|
Assignee | |
Comment 4•6 years ago
|
||
After having talked to mythmon and mostlygeek, we realized there were other options: - Plan A: Back out the changes made in Bug 1450985 to disable signature verification, so that we could change the certificate signature on the server without any impact. I created Bug 1461750 for that - Plan B: Rely on the new pref rollout feature from Normandy to remotely change the certificate name on client just after we change the server config and refresh its signatures
|
|
Assignee | |
Comment 5•6 years ago
|
||
Bug 1461750 was merged, once 61.0b6 is released and a significant uptake is reached, I will migrate the signature on the server. Then, I will land this patch just after. I would need it to be r+ though ;)
|
||
Comment 6•6 years ago
|
||
(In reply to Mathieu Leplatre (:leplatrem) from comment #4) > After having talked to mythmon and mostlygeek, we realized there were other > options: Solutions which prevent breakage seem advantageous to me.
Flags: needinfo?(mgoodwin)
|
|
||
Comment 7•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8974540 [details] Bug 1460321 - Change addons/plugins/gfx blocklist content-signature certificate https://reviewboard.mozilla.org/r/242878/#review252472 Do we still want this change, given the other options?
| Comment hidden (mozreview-request) |
|
|
||
Comment 9•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8974540 [details] Bug 1460321 - Change addons/plugins/gfx blocklist content-signature certificate https://reviewboard.mozilla.org/r/242878/#review252480
Attachment #8974540 -
Flags: review?(mgoodwin) → review+
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
|
||
Comment 10•6 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/3f64d5a8174e Change addons/plugins/gfx blocklist content-signature certificate r=mgoodwin
Keywords: checkin-needed
|
||
Comment 11•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/3f64d5a8174e
|
||
Updated•5 years ago
|
Component: Blocklist Policy Requests → Blocklist Implementation
You need to log in
before you can comment on or make changes to this bug.
Description
•