Open Bug 2053463 Opened 3 days ago Updated 1 day ago

Move Updatebot to a dedicated pool

Categories

(Release Engineering :: Firefox-CI Administration, enhancement)

enhancement

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: tjr, Assigned: ahal)

References

(Blocks 1 open bug)

Details

(Keywords: leave-open)

Attachments

(3 files)

Updatbot runs in m-c with L3 creds presently, As we add AI into Updatebot, we want to defend against a scenario where we get prompt-injected, and an attacker compromises the underlying instance (breaking out of Docker) and then later uses that access to affect a Firefox release.

After talking with ahal the best solution to this would be to use a dedicated pool. (Other options are possible, but this one seems cleanest/most straightforward.)

We'll need a patch to the Firefox repo as well to make updatebot use these pools.

Assignee: nobody → ahal
Status: NEW → ASSIGNED
Keywords: leave-open
Blocks: 2053835
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: