Closed Bug 1813779 Opened 1 year ago Closed 1 year ago

Consider how hash verification should work for language models and wasm binaries

Tracking

()

Status:

RESOLVED FIXED

Milestone:

113 Branch

Tracking Flags:

Tracking

Status

firefox113

---

fixed

People

(Reporter: gregtatum, Assigned: gregtatum)

References

Details

Attachments

(1 file)

Bug 1813779 - Always verify signatures for translation assets; r?nordzilla! 1 year ago Greg Tatum [:gregtatum] 48 bytes, text/x-phabricator-request		Details \| Review

Greg Tatum [:gregtatum]

Assignee

Description

•

1 year ago

Remote Settings can verify the hash of the content on the disk. There is a runtime cost to this and it also involves a network request. We should consider the strategy here on checking this information. The wasm and language models are stored in the user directory which is open to tampering. Hash verification will ensure that the contents of the cache are valid.

Greg Tatum [:gregtatum]

Assignee

Updated

•

1 year ago

Type: defect → enhancement

Priority: -- → P2

Greg Tatum [:gregtatum]

Assignee

Comment 1

•

1 year ago

Erik and I discussed this, and we are doing the safe and correct thing, which we feel comfortable with shipping, so this doesn't block the MVP. We can re-visit when and if we get evidence that this slows down the process.

Greg Tatum [:gregtatum]

Assignee

Comment 2

•

1 year ago

I don't think this is worth keeping open, as Erik and I discussed this. We can always re-open if the evidence shows that this is slow.

Status: NEW → RESOLVED

Closed: 1 year ago

Resolution: --- → WONTFIX

Greg Tatum [:gregtatum]

Assignee

Comment 3

•

1 year ago

Actually, I'll attach a patch to this to remove the TODOs.

Status: RESOLVED → REOPENED

Resolution: WONTFIX → ---

Greg Tatum [:gregtatum]

Assignee

Updated

•

1 year ago

Assignee: nobody → gtatum

Greg Tatum [:gregtatum]

Assignee

Comment 4

•

1 year ago

Attached file Bug 1813779 - Always verify signatures for translation assets; r?nordzilla! — Details

Depends on D173194

Pulsebot

Comment 5

•

1 year ago

Pushed by gtatum@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/793ba36c54b5
Always verify signatures for translation assets; r=nordzilla

Atila Butkovits

Comment 6

•

1 year ago

Backed out for causing failures at browser_full_page.js.

Backout link: https://hg.mozilla.org/integration/autoland/rev/824c14ab68396152de37a562f09df8ce71f924bf

Push where failures started: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=457474e589d4544345a1f55d4343a4b70ded1d1e&selectedTaskRun=Hrqjdo8ESFSvywMOFoyoyw.0

Failure log: https://treeherder.mozilla.org/logviewer?job_id=410034037&repo=autoland&lineNumber=11999

Pulsebot

Comment 7

•

1 year ago

Pushed by gtatum@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1264ea613b5e
Always verify signatures for translation assets; r=nordzilla

Sandor Molnar[:smolnar]

Comment 8

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/1264ea613b5e

Status: REOPENED → RESOLVED

Closed: 1 year ago → 1 year ago

status-firefox113: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 113 Branch

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Consider how hash verification should work for language models and wasm binaries

Categories

(Firefox :: Translations, enhancement, P2)

Tracking

()

People

(Reporter: gregtatum, Assigned: gregtatum)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Comment 7

Comment 8

Attachment

General

Description

File Name

Content Type