Closed Bug 663895 Opened 13 years ago Closed 11 years ago

Archive out of date pages and migrate developer docs in mozilla.org/projects/security

Categories

(NSS :: Documentation, defect)

Product:
NSS
Component:
Documentation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 818313

People

(Reporter: davidwboswell, Unassigned)

References

(
URL
)

Details

Out of date pages in mozilla.org/projects/security should be archived so that people don't come across these and think the information is current.  

Archived content will still be available on the archive site where there is a note on pages that the content is being made for historical reasons only.  See:

http://www-archive.mozilla.org/projects/security/

There are certainly pages still being actively maintained in this section, but it also looks like there are pages that haven't been touched in a long time.  For instance, the Component Security main page hasn't had a non-formatting edit since 2006.

http://www.mozilla.org/projects/security/components/index.html

Any old developer documents in this section should also be migrated over to the appropriate places on MDN so that it is easier to maintain the documents and so it will be easier to find these documents when people search for security related information.

To browse what files are in this section of the site, you can look through the SVN repository at:

http://viewvc.svn.mozilla.org/vc/projects/mozilla.org/trunk/projects/security/

If someone who is familiar with this content could propose a list of pages to archive or migrate, that would be very helpful.

The removal of out of date pages is a requirement for the upcoming merge of mozilla.org and mozilla.com so ideally we'll be able to review the content in here within the next few weeks.
Assignee: nobody → nobody
Component: www.mozilla.org → Documentation
Product: Websites → NSS
QA Contact: www-mozilla-org → documentation
In a different bug, Nelson mentioned that the NSS product and Documentation component is the right place to discuss issues with the www.mozilla.org/projects/security pages.

Could someone please review the content currently on www.mozilla.org and recommend what can be archived, what can be migrated to MDN or the wiki and what should remain on www.mozilla.org?  Thanks.
Here’s the stuff that I know about…

-- Content that needs to stay in www.mozilla.org/projects/security/
certs/included
certs/pending
certs/policy
certs/certificate-list-html.xsl
certs/certificate-list.css
certs/index.html

security-bugs-policy.html


-- Content that can be archived
certs/certfiles
certs/ev
certs/removal-policy  (this is in the main policy now)
certs/cacertlist.csv

Thanks,
Kathleen
Here’s my opinion on other files (though I don’t maintain them).

-- Content that needs to stay in www.mozilla.org/projects/security/

known-vulnerabilities.html
older-vulnerabilities.html

membership-policy.html 
secgrouplist.html

tld-idn-policy-list.html


-- Content that can be archived

phishing-test-results.html
Is it perhaps because the index files are xml?
Kathleen, this is likely to be an issue with the mozilla.com/.org merge that just went live.  I'm copying James Long on this who can figure out what's going on with serving those .xml files.

Note that if this is from the merge, we should open a separate bug since it's not related to archiving out of date pages.
Bug 681902 filed.

Gerv
(In reply to Kathleen Wilson from comment #3)
> Here’s my opinion on other files (though I don’t maintain them).
> 
> -- Content that needs to stay in www.mozilla.org/projects/security/
> 
> known-vulnerabilities.html

For this page, it looks like an out of date version of:

http://www.mozilla.org/security/known-vulnerabilities.html

We should remove the one from /projects/security I imagine and redirect.
Based on earlier comments the following have just been archived in r94942 and r94943.

/projects/security/phishing-test-results.html
/projects/security/certs/certfiles
/projects/security/certs/ev
/projects/security/certs/removal-policy
/projects/security/certs/cacertlist.csv
The files in comment #9 are almost all from the certs directory, but I'm still seeing lots of old files in other parts of the /projects/security section that could be archived such as Netscape PKCS #11 Test Suites.

http://www.mozilla.org/projects/security/pki/pkcs11/netscape/index.html

Can someone else take a pass through the rest of the files?  Are there specific people to ping about reviewing the /components and /pki directory?
(In reply to Gordon P. Hemsley [:gphemsley] from comment #12)
> From bug 801686 comment 0:
>> A good chunk of the files under http://www.mozilla.org/projects/security/ 
>> have not been updated in at least 3 years. Many of them are out-of-date 
>> and have likely been superseded by better and more easily editable documents.
>> 
>> These documents can probably be archived:


Please do NOT archive the following pages. Even though they have not been modified in a long time, they are still valid and in use.

http://www.mozilla.org/projects/security/membership-policy.html
http://www.mozilla.org/projects/security/security-bugs-policy.html
http://www.mozilla.org/projects/security/components/


The following documents do look to be very out-of-date. 

Dan, do you agree that these can be archived? 

>> http://www.mozilla.org/projects/security/known-vulnerabilities.html
>> http://www.mozilla.org/projects/security/older-vulnerabilities.html
>> http://www.mozilla.org/projects/security/utf7xss.html

The known-vulnerabilities page is linked to from 
http://www.mozilla.org/projects/security/index.html
So this index page should be updated to either remove the link or fix it to point to wherever the current known-vulnerabilities page is. Dan?
(In reply to Kathleen Wilson from comment #13)
> Please do NOT archive the following pages. Even though they have not been
> modified in a long time, they are still valid and in use.
> 
> [...]
> http://www.mozilla.org/projects/security/components/

bz indicated in bug 427347 comment 8 that the following could be archived:

http://www.mozilla.org/projects/security/components/per-file.html

There was also talk in bug 292630 (albeit not by security folks) that the following could likely be archived:

http://www.mozilla.org/projects/security/components/jssec.html
http://www.mozilla.org/projects/security/components/signed-scripts.html

Keep in mind, too, that archiving (1) does not remove the content, only moves it out of active service, and, more importantly, (2) does not preclude the movement of contents onto MDN, where it can be actively maintained.

It has been established in the aforementioned bugs (and possibly elsewhere) that the contents of at least the components pages mentioned above are out of date. Why not move them all to MDN, where they can be more easily updated?

I think the components pages should be audited for continued relevance in general, as well.
"X.509 v3 Certificate Store" should be moved under "Open Source PKI Projects" because the certificate store is maintained as part of NSS and PSM.

I find the distinction between http://mozilla.org/projects/security/ and http://mozilla.org/security/ confusing. Also, IMO, http://mozilla.org/projects/security/ should be refactored/expanded so that it is the place to go for *current* security projects like CSP, HSTS and similar things, the web app security model, etc. It needs a lot of work.

RE: http://www-archive.mozilla.org/projects/security/components/:

   * Signed Script Policy
   * Configurable Security Policies (CAPS)
   * Signed Scripts & Privileges: An Example
   * Using a Master Certificate for Remote Trust Grants
   * Configuring Per-File Privileges

     See bug 787269, bug 750859, and bug 790023. A lot of this functionality has been removed.

   * Mozilla.org Policy on Handling Security Bugs
   * Current Members of the Mozilla security group
   * Known Vulnerabilities in Mozilla

     Should be removed and we should make sure mozilla.org/security is up-to-date.

   * Slides from 'Intro to Mozilla Security' talk, 3/4/02 (XML)'

     Remove.
In fact, AFAICT, "Component Security" is test off just being torched. Whatever information is there is best put somewhere else. E.g. same-origin policy should be described well enough on MDN, "People" should be at mozilla.org/security, and the wishlist can be removed and replaced once we know what we want to say.
Depends on: 787269
(In reply to Brian Smith (:bsmith) from comment #16)
> In fact, AFAICT, "Component Security" is test off just being torched.
> Whatever information is there is best put somewhere else. E.g. same-origin
> policy should be described well enough on MDN, "People" should be at
> mozilla.org/security, and the wishlist can be removed and replaced once we
> know what we want to say.

Who can make that happen?
(In reply to Brian Smith (:bsmith) from comment #15)
> I find the distinction between http://mozilla.org/projects/security/ and
> http://mozilla.org/security/ confusing. 

I do too. How is it determined if something should go in mozilla.org/security versus mozilla.org/projects/security?

I just noticed that 
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://www.mozilla.org/projects/security/older-vulnerabilities.html
appear to have been replaced by 
http://www.mozilla.org/security/known-vulnerabilities/index.html
http://www.mozilla.org/security/known-vulnerabilities/older-vulnerabilities.html
So should the old (projects/security) pages be changed to re-directs to the new pages?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.