Closed Bug 460020 Opened 17 years ago Closed 14 years ago

Build machines should fetch from hg via https or ssh

Categories

(Release Engineering :: General, defect, P5)

Product:
Release Engineering
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: BenB, Assigned: catlee)

References

Details

(Whiteboard: [buildbot][security])

See bug 450645
No longer blocks: 450645
Blocks: 450645
I'm tossing this back in the pool for now. If someone else has time to tackle it before I do, please feel free to do so.
Assignee: bhearsum → nobody
RelEng came across this in triage and given the problems with the first deployment, and the fact that the build machines are in the same colo as hg.m.o we've decided that we will not be going ahead with this.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Yet we spent tons of time making sure our build machines pulled CVS source over SSH rather than pserver?
I'm not sure what our colo network looks like, but one usual attack vector for this stuff is DNS poisoning. Being on the same network doesn't help if an attacker can make a machine thing hg.mozilla.org is an IP in Elbonia. Are we sure that can't happen?
This needs to be done for the same reason CVS builds were moved to SSH rather than pserver.
Status: RESOLVED → REOPENED
OS: Linux → All
Hardware: PC → All
Resolution: WONTFIX → ---
Wouldn't that be "Build machines should fetch from hg via ssh"? To the best of my knowledge, that would actually have a point, unlike this, which is utterly pointless without any cert checking.
Summary: Build machines should fetch from hg via https → Build machines should fetch from hg via https or ssh
Assignee: nobody → joduinn
What's the concern here? Since all the build infrastructure is on Mozilla owned ethernet in locked environments, what does encryption help with? If DNS is a real concern (and we really think that Mozilla's internal nameservers can be compromised) then the more desirable fix would be to add host entries. Using some for of encryption will break the content caching we're using for non-local-to-MPT locations, some of which will be through an IPSec VPN and some of which are private ethernet connected.
There are tons of attack vectors, yes. DNS is one. Getting access to ethernet is another. Mozilla.com network access != root access to 400 million desktops. "Better safe than sorry" See reed comment 3 and 5.
There's a trade-off and balance in security vs. practicality. We'd be significantly increasing the costs associated with doing remote build pods (or increasing build delays if we scratch them) if we can't use caching proxies. And by extension, if we're going to argue that every machine-to-machine communication within the locked datacenter can be compromised we should look at addons.mozilla.org and the non-encrytped mysql connections. And if everything's going to be encrypted we'll need to look at augmenting CPU on everything. And if you could tap the wire, why wouldn't you just reboot the hg servers and install something that sits before it's all encrypted? The essence of my question is, is it worth it?
Talked with clyon, mrz yesterday afternoon at length: 1) There's a few reasons, in addition to the potential MITM scenario described here, for separating the repo machines from other machines in the secured colo. I've spun off bug#567488 to track that work. 2) The pro-vs-con debate of using https/ssh within the locked-down colo continues. Still figuring out possible infrastructure impact, and bug#567488 will further reduce the possible attack vectors, but other comments/concerns welcome. 3) BenB,reed: after reading comment#3, comment#5, comment#8, if you have other security concerns, please file separate bugs with specific actionable items.
I can't read bug 567488 (despite being in security-group), so I don't know what exactly it will do or help and want remains. > please file separate bugs with specific actionable items. This one is actionable: s/http/ssh/ in hgrc :)
(In reply to comment #11) > I can't read bug 567488 (despite being in security-group), so I don't know what > exactly it will do or help and want remains. I've cc'd you.
Thanks. From out-of-band discussion, I misunderstood comment 10, I thought you wanted to close this bug.
Does using a shared source dir (bug 589885) save us some of the pain of doing a full, non-cached clone over ssh every time?
Assignee: joduinn → catlee
Priority: -- → P5
Whiteboard: [buildbot][security]
Summary of meeting with RelEng (joduinn), IT (mrz) and InfraSec (clyon): The security risks portrayed here are being addressed by architectural changes already being worked on separately in bug#567488, bug#602741, and bug#617414, therefore this bug is being WONTFIXed.
Status: REOPENED → RESOLVED
Closed: 17 years ago14 years ago
Resolution: --- → WONTFIX
See Also: → 617414
Will there be a secure connection (eg. VPN) between build machines and repo machines?
BTW: I can't access bug 602741. Could you maybe CC me?
There will be some sort of end-to-end encryption, the details of which have yet to be worked out.
Can we reopen this bug, then, please? Because this is exactly about that end-to-end encryption.
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.