Closed Bug 1512451 Opened 6 years ago Closed 5 years ago

Read certificates revocation list from security-states/onecrl instead of blocklists/certificates

Categories

(Toolkit :: Blocklist Implementation, enhancement, P3)

Product:
Toolkit
Component:
Blocklist Implementation
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox68 --- fixed

People

(Reporter: leplatrem, Assigned: leplatrem)

References

Details

Attachments

(1 file)

Bug 1512451 - Read OneCRL blocklist from security-states/onecrl
47 bytes, text/x-phabricator-request
Details | Review 
In the RemoteSettings client instantiation, the bucketName should now be a new preference with the value "security-state":

https://searchfox.org/mozilla-central/rev/69f9d5002c6e3c5c571a348916fb174e6a7b4acd/services/common/blocklist-clients.js#177

And this preference value changed to "onecrl":

https://searchfox.org/mozilla-central/rev/adec563403271e78d1a057259b3e17fe557dfd91/modules/libpref/init/all.js#2732
Priority: -- → P3
(In reply to Mathieu Leplatre [:leplatrem] from comment #1)
> Until we declare security-state/onecrl as the new source, the security team
> would have to publish their changes in both places.

Note, we are not keeping the new and old buckets in-sync at this time. The permissions changes between the buckets yield enough breakage in the tooling that we will have to dedicate time to fixing them after the holidays.
> Note, we are not keeping the new and old buckets in-sync at this time. The permissions changes between the buckets yield enough breakage in the tooling that we will have to dedicate time to fixing them after the holidays.

I'm sorry to hear that. Let's get back to this in January. We don't have OPs 'till then anyway...

Part of this ticket, we should also remove the JSON dump blocklist/certificates.json and add security-state/onecrl.json.

Read OneCRL blocklist from security-states/onecrl

See Also: → 1414202
Blocks: 1543598
Assignee: nobody → mathieu

Mark, could you please give a final r+ so that we can ship this in 68? It would be nice not to have another ESR pulling from the legacy endpoint.
Thanks!

Flags: needinfo?(mgoodwin)
Pushed by mleplatre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a19d696f96fb
Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc

Before this got backed out, we noticed this installer size increase:

== Change summary for alert #20584 (as of Tue, 23 Apr 2019 20:10:32 GMT) ==

Regressions:

300KBytes installer size osx-shippable opt nightly 77,004,021.58 -> 77,326,302.42
300KBytes installer size osx-shippable opt gcp nightly 77,006,034.21 -> 77,324,841.33

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=20584

Andreea, sorry for the troubles :/ I only had ran xpcshell tests...

Ionut, this is normal indeed. With this patch, we now take into account one of the JSON dumps of Remote Settings [0] (We introduced it in https://bugzilla.mozilla.org/show_bug.cgi?id=1541841 but was not mentioned in package-manifest.in)

[0] https://firefox-source-docs.mozilla.org/services/common/services/RemoteSettings.html#initial-data

Flags: needinfo?(mathieu)

(In reply to Mathieu Leplatre [:leplatrem] from comment #15)

Andreea, sorry for the troubles :/ I only had ran xpcshell tests...

Ionut, this is normal indeed. With this patch, we now take into account one of the JSON dumps of Remote Settings [0] (We introduced it in https://bugzilla.mozilla.org/show_bug.cgi?id=1541841 but was not mentioned in package-manifest.in)

[0] https://firefox-source-docs.mozilla.org/services/common/services/RemoteSettings.html#initial-data

Is 300k the smallest we can get this? Because as installer size goes, that's pretty sizable, esp. on mobile (where it seems we are also packaging this...).

Is 300k the smallest we can get this? Because as installer size goes, that's pretty sizable, esp. on mobile (where it seems we are also packaging this...).

On Mobile there should be no increase, since we already shipped the same data under a different name

(In reply to Mathieu Leplatre [:leplatrem] from comment #17)

Is 300k the smallest we can get this? Because as installer size goes, that's pretty sizable, esp. on mobile (where it seems we are also packaging this...).

On Mobile there should be no increase, since we already shipped the same data under a different name

So we ate that same cost earlier - if we could slim this down e.g. by compressing it somehow, that seems worth at least thinking about...

See Also: → 1546675
Pushed by mleplatre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e1ab2cda0424
Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc

https://hg.mozilla.org/mozilla-central/rev/e1ab2cda0424

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

(In reply to Mathieu Leplatre [:leplatrem] from comment #15)

Andreea, sorry for the troubles :/ I only had ran xpcshell tests...

Ionut, this is normal indeed. With this patch, we now take into account one of the JSON dumps of Remote Settings [0] (We introduced it in https://bugzilla.mozilla.org/show_bug.cgi?id=1541841 but was not mentioned in package-manifest.in)

[0] https://firefox-source-docs.mozilla.org/services/common/services/RemoteSettings.html#initial-data

No problem, glad this got fixed in the meantime.

Regressions: 1546525
Flags: needinfo?(mgoodwin)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: