Read certificates revocation list from security-states/onecrl instead of blocklists/certificates

RESOLVED FIXED in Firefox 68

Status

()

enhancement
P3
normal
RESOLVED FIXED
7 months ago
2 months ago

People

(Reporter: leplatrem, Assigned: leplatrem)

Tracking

unspecified
mozilla68
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox68 fixed)

Details

Attachments

(1 attachment)

Assignee

Description

7 months ago
In the RemoteSettings client instantiation, the bucketName should now be a new preference with the value "security-state":

https://searchfox.org/mozilla-central/rev/69f9d5002c6e3c5c571a348916fb174e6a7b4acd/services/common/blocklist-clients.js#177

And this preference value changed to "onecrl":

https://searchfox.org/mozilla-central/rev/adec563403271e78d1a057259b3e17fe557dfd91/modules/libpref/init/all.js#2732
Priority: -- → P3
(In reply to Mathieu Leplatre [:leplatrem] from comment #1)
> Until we declare security-state/onecrl as the new source, the security team
> would have to publish their changes in both places.

Note, we are not keeping the new and old buckets in-sync at this time. The permissions changes between the buckets yield enough breakage in the tooling that we will have to dedicate time to fixing them after the holidays.
Assignee

Comment 2

6 months ago
> Note, we are not keeping the new and old buckets in-sync at this time. The permissions changes between the buckets yield enough breakage in the tooling that we will have to dedicate time to fixing them after the holidays.

I'm sorry to hear that. Let's get back to this in January. We don't have OPs 'till then anyway...
Assignee

Comment 3

5 months ago

Part of this ticket, we should also remove the JSON dump blocklist/certificates.json and add security-state/onecrl.json.

Assignee

Comment 4

3 months ago

Read OneCRL blocklist from security-states/onecrl

Assignee

Updated

3 months ago
No longer blocks: 1460311
Depends on: 1460311
Assignee

Updated

3 months ago
See Also: → 1414202
Assignee

Updated

3 months ago
Blocks: 1543598
Assignee

Updated

3 months ago
Assignee: nobody → mathieu
Assignee

Comment 8

3 months ago

Mark, could you please give a final r+ so that we can ship this in 68? It would be nice not to have another ESR pulling from the legacy endpoint.
Thanks!

Assignee

Updated

3 months ago
Flags: needinfo?(mgoodwin)

Comment 11

2 months ago
Pushed by mleplatre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a19d696f96fb
Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc

Before this got backed out, we noticed this installer size increase:

== Change summary for alert #20584 (as of Tue, 23 Apr 2019 20:10:32 GMT) ==

Regressions:

300KBytes installer size osx-shippable opt nightly 77,004,021.58 -> 77,326,302.42
300KBytes installer size osx-shippable opt gcp nightly 77,006,034.21 -> 77,324,841.33

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=20584

Assignee

Comment 15

2 months ago

Andreea, sorry for the troubles :/ I only had ran xpcshell tests...

Ionut, this is normal indeed. With this patch, we now take into account one of the JSON dumps of Remote Settings [0] (We introduced it in https://bugzilla.mozilla.org/show_bug.cgi?id=1541841 but was not mentioned in package-manifest.in)

[0] https://firefox-source-docs.mozilla.org/services/common/services/RemoteSettings.html#initial-data

Flags: needinfo?(mathieu)

(In reply to Mathieu Leplatre [:leplatrem] from comment #15)

Andreea, sorry for the troubles :/ I only had ran xpcshell tests...

Ionut, this is normal indeed. With this patch, we now take into account one of the JSON dumps of Remote Settings [0] (We introduced it in https://bugzilla.mozilla.org/show_bug.cgi?id=1541841 but was not mentioned in package-manifest.in)

[0] https://firefox-source-docs.mozilla.org/services/common/services/RemoteSettings.html#initial-data

Is 300k the smallest we can get this? Because as installer size goes, that's pretty sizable, esp. on mobile (where it seems we are also packaging this...).

Assignee

Comment 17

2 months ago

Is 300k the smallest we can get this? Because as installer size goes, that's pretty sizable, esp. on mobile (where it seems we are also packaging this...).

On Mobile there should be no increase, since we already shipped the same data under a different name

(In reply to Mathieu Leplatre [:leplatrem] from comment #17)

Is 300k the smallest we can get this? Because as installer size goes, that's pretty sizable, esp. on mobile (where it seems we are also packaging this...).

On Mobile there should be no increase, since we already shipped the same data under a different name

So we ate that same cost earlier - if we could slim this down e.g. by compressing it somehow, that seems worth at least thinking about...

Assignee

Updated

2 months ago
See Also: → 1546675

Comment 21

2 months ago
Pushed by mleplatre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e1ab2cda0424
Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc

Comment 22

2 months ago
bugherder
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

(In reply to Mathieu Leplatre [:leplatrem] from comment #15)

Andreea, sorry for the troubles :/ I only had ran xpcshell tests...

Ionut, this is normal indeed. With this patch, we now take into account one of the JSON dumps of Remote Settings [0] (We introduced it in https://bugzilla.mozilla.org/show_bug.cgi?id=1541841 but was not mentioned in package-manifest.in)

[0] https://firefox-source-docs.mozilla.org/services/common/services/RemoteSettings.html#initial-data

No problem, glad this got fixed in the meantime.

Regressions: 1546525
Flags: needinfo?(mgoodwin)
You need to log in before you can comment on or make changes to this bug.