Closed Bug 581332 Opened 15 years ago Closed 15 years ago

shadow-central nightly builds show up in public FTP space

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: bhearsum)

Details

(Whiteboard: [sg:nse])

Attachments

(2 files)

disable shadow-central nightlies
1.19 KB, patch
catlee
: review+
bhearsum
: checked-in+
Details | Diff | Splinter Review
Disable xulrunner nightlies
588 bytes, patch
bhearsum
: review+
nthomas
: checked-in+
Details | Diff | Splinter Review
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-shadow-central/ has nightly builds from shadow-central, which exposes shadow-central content to the world. Need to move these to the private space, or just turn them off.
This is the quick fix to turn them off completely. I don't think there's any point in having them on, either, unless we update AUS to properly provide updates to them.
Attachment #459797 - Flags: review?(catlee)
And fwiw, enabling updates for these could be considered a security hole, too. Anyone that knows how to construct an AUS url could pretty easily brute force their way getting one of these builds.
Assignee: nobody → bhearsum
Attachment #459797 - Flags: review?(catlee) → review+
Comment on attachment 459797 [details] [diff] [review] disable shadow-central nightlies changeset: 2751:4f5093a51349
Attachment #459797 - Flags: checked-in+
There's no more nightly builders for shadow-central.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Does that undo the work lukas did to make shadow-central builds work? Or was this just the nightly builds? Would it be possible to make the nightly builds deliver to the protected ftp space that the buildbot builds do? Lack of updates was acknowledged as a downside to this shadow-repo plan from the beginning. We're not going to try to secure that channel, we'll just not have them. And I suppose if there are no updates and QA will just grab test builds to verify bugs then maybe official nightlies are, in fact, pointless.
(In reply to comment #5) > Lack of updates was acknowledged as a downside to this shadow-repo plan from > the beginning. We're not going to try to secure that channel, we'll just not > have them. And I suppose if there are no updates and QA will just grab test > builds to verify bugs then maybe official nightlies are, in fact, pointless. Huh? Why can't we have updates for the shadow repo? I don't remember us writing that off at the (very long) March meeting, and I do remember us giving multiple ways we could do such a thing securely...
Whiteboard: [sg:nse]
(In reply to comment #5) > Does that undo the work lukas did to make shadow-central builds work? Or was > this just the nightly builds? There's still opt/debug builders, plus unit tests, talos -- all the normal on-landing stuff is there. > Would it be possible to make the nightly builds > deliver to the protected ftp space that the buildbot builds do? Might be possible. > Lack of updates was acknowledged as a downside to this shadow-repo plan from > the beginning. We're not going to try to secure that channel, we'll just not > have them. And I suppose if there are no updates and QA will just grab test > builds to verify bugs then maybe official nightlies are, in fact, pointless. I don't have strong feelings about providing nightly builds for shadow-central or not, turning them off was merely a reaction to the fact that they were delivered in public. If you're considered requesting them please keep the following in mind though: * builds could be in the private area * if the client side update code can handle updates being served behind http auth, MARs can be in private, too. if not, they've got to be public or behind a vpn * regardless of the above, snippets will be in public. they don't contain any secret information though, so that shouldn't be an issue.
Missed a spot.
Attachment #460834 - Flags: review?(bhearsum)
Comment on attachment 460834 [details] [diff] [review] Disable xulrunner nightlies Good catch
Attachment #460834 - Flags: review?(bhearsum) → review+
Comment on attachment 460834 [details] [diff] [review] Disable xulrunner nightlies http://hg.mozilla.org/build/buildbot-configs/rev/e66b2e081ea0 and pm01/pm03 reconfig'd.
Attachment #460834 - Flags: checked-in+
Product: mozilla.org → Release Engineering
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: