Provide the gls and safe browsing keys to build system
Categories
(Release Engineering :: Release Automation: Other, defect)
Tracking
(firefox-esr6066+ fixed, firefox65 wontfix, firefox66+ fixed, firefox67+ fixed)
People
(Reporter: catlee, Assigned: mtabara)
References
Details
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
We need to create new secrets in the TC secret service to hold the safe browsing keys, and adjust our build configs to pull down the gls and safe browsing keys to the expected locations for the build system.
Comment 1•6 years ago
|
||
For now, we can use the same for gls & safe browsing if it makes our life easier.
Comment 2•6 years ago
|
||
We need to:
- Create new secrets project/releng/gecko/build/level-{1,2,3}/{gls,sb}-gapi.data
- Split all the entries in mozharness here to create both files.
Assignee | ||
Comment 3•6 years ago
|
||
Provide gls and safe browsine separate keys at build time.
Assignee | ||
Comment 4•6 years ago
|
||
(In reply to Tom Prince [:tomprince] from comment #2)
We need to:
- Create new secrets project/releng/gecko/build/level-{1,2,3}/{gls,sb}-gapi.data
Created project/releng/gecko/build/level-{1,2,3}/{gls,sb}-gapi.data within https://tools.taskcluster.net/secrets/
They are re-using credential(s) from project/releng/gecko/build/level-{1,2,3}/gapi.data
Comment 5•6 years ago
|
||
Once this has stuck, we should update the old secrets in taskcluster with an expiry that is a few months out, so they will automatically be cleaned up.
Assignee | ||
Comment 6•6 years ago
|
||
(In reply to Tom Prince [:tomprince] from comment #5)
Once this has stuck, we should update the old secrets in taskcluster with an expiry that is a few months out, so they will automatically be cleaned up
Sounds good. I left the old ones there so that we can do a gradual migration. But as you said in the Phab request, totally fine to remove them in the same time, if we graft those in the right place.
I followed-up with a follow-up commit to fix the taskcluster windows failed one.
Assignee | ||
Comment 7•6 years ago
|
||
@tomprince:
Do we want to wait for https://phabricator.services.mozilla.com/D21459 to land and to address that cleanup now or should we land as is and follow-up separately with the cleanup bits in https://phabricator.services.mozilla.com/D21536 ?
Comment 8•6 years ago
|
||
I think i need your patch to land first as mine will break the build.
Or we can land both in the same push
Assignee | ||
Comment 9•6 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #8)
I think i need your patch to land first as mine will break the build.
Or we can land both in the same push
That makes sense. Tom wanted to do the cleanup of the old files in the same patch so I'm not sure how strong he leands towards that. If not that strong, I can land as is, set sooner(months?)-expiration dates for existing secrets and follow-up with removal patches from mozharness configs. If yes, I can include those now but I guess we'll have to land in the same time.
Comment 10•6 years ago
|
||
I guess this can be done later. These changes are pretty urgent
Assignee | ||
Comment 11•6 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #10)
I guess this can be done later. These changes are pretty urgent
Landed, though Autoland is closed. As soon as it opens, the bug will get notified.
Then Sylvestre can proceed with autolanding that patch too.
Comment 12•6 years ago
|
||
Assignee | ||
Comment 13•6 years ago
|
||
(In reply to Pulsebot from comment #12)
Pushed by mtabara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aeee5b2fac0f
provide gls and safe browsing separate keys. r=tomprince
Did you want this grafted to beta and esr60?
Comment 14•6 years ago
|
||
yes please
I will ask for uplift
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 15•6 years ago
|
||
Comment on attachment 9047370 [details]
Bug 1531178 - provide gls and safe browsing separate keys. r=tomprince
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: Bug 1531178
- User impact if declined:
- Is this code covered by automated tests?: Unknown
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This provides additional set of keys per level for gls and safe browsing keys within the build configs.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This provides additional set of keys per level for gls and safe browsing keys within the build configs.
- String or UUID changes made by this patch:
Comment 16•6 years ago
|
||
bugherder |
Comment 17•6 years ago
|
||
Comment on attachment 9047370 [details]
Bug 1531178 - provide gls and safe browsing separate keys. r=tomprince
Needed so we can split our measurements of GLS and Safe Browsing key usage. Approved for 66.0b14 and 60.6esr.
Comment 18•6 years ago
|
||
Per discussion with mtabara, moving follow-up work to a new bug for easier tracking of this one.
Comment 19•6 years ago
|
||
bugherder uplift |
Comment 20•6 years ago
|
||
bugherder uplift |
Description
•