735075 - Sec Review: Distributed Events platform

Status: VERIFIED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Ben Simon]

We're starting a new project to support distributed learning events on the foundation side, which we're hoping to launch in early May. 

None of the major dev has begun, but we wanted to get this process started as early as possible.

The roadmap is here: https://wiki.mozilla.org/Webmakers/Event_Platform

1) Who is/are the point of contact(s) for this review?

Ben Simon, Michelle Thorne, & Ross Bruniges

2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

The project in 5 sentences:
-Events are a major participation and community engine of Mozilla's webmaker efforts.
-We need a place to track webmaker events worldwide.
-That enables users to learn about, create, import, sign up for, and leave feedback about events.
-The site should allow for communication among organizers, participants, and staff.
-And it should be dead-simple to use. 

3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

In addition to the wiki above, here are a couple of blog posts we've written as background:

engagingopenly.wordpress.com/2012/03/05/moving-forward-with-distributed-events/
http://michellethorne.cc/2012/03/mullet/

4) Does this request block another bug? If so, please indicate the bug number

Not yet

5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

We want to launch by early may, in time for our summer campaign (https://wiki.mozilla.org/Foundation_Summer_2012_Campaign_Roadmap), which means we likely need a fairly expedited review.

6) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
        
Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? 

>>NO
        
Are there any portions of the project that interact with 3rd party services?

>>Yes, Blue State Digital, which already provides the foundation's contribution and mailing management.

Will your application/service collect user data? If so, please describe 

>>Yes, we will be collecting user data for event creation and RSVP actions.

7)  If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): 

Don't think I have anything extra -- hopefully the wiki & posts help answer additional Qs.

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

we need to figure out a process for a 3rd party review

Comment 2

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

adding mcoates and yvan to this bug as I am not sure where we are with 3rd party reviews and how we need to proceed to keep this on track for desired release.

Comment 3

[Ben Simon]

Ross can chime in further, but happy to help faciliate any reviews -- all the data will either be on Blue State Digital infrastructure (which has been thoroughly reviewed in the past), or on Mozilla infrastructure.

Comment 4

[Ross Bruniges [:boozeniges]]

Sorry - I've not seen any emails from him bug before...

What is the third part aspect of this review? Is this to review the BSD events codebase?

Comment 5

[Ben Simon]

Hey all,

Upping the priority on this as our public launch date is May 15. If it helps in going through things, here's the notes from the data safety consultation we had with the DS team:

https://privacy.etherpad.mozilla.org/68
PW:  apr12

In terms of 3rd party reviews, BSD has already been reviewed extensively in our process to get them on board as our contribution processor, so there shouldn't be much more that needs to be done there.

We expect to have a full platform up and running by later this week or very early next week for you to be able to review.

Please let us know what we can help provide.

Comment 6

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Security wise we are good as this has been vetted before. We would like to preform a brief review when the page goes live just to be sure. Privacy wise I will leave that up to the experts from that area to chime in.

Comment 7

[Ben Simon]

Great, thanks Curtis.

We'll post links here once things are ready for you to take a look.

Comment 8

[Ross Bruniges [:boozeniges]]

(In reply to Curtis Koenig [:curtisk] from comment #6)
> Security wise we are good as this has been vetted before. We would like to
> preform a brief review when the page goes live just to be sure. Privacy wise
> I will leave that up to the experts from that area to chime in.

So just to hopefully clear up any confusion with whether we're reviewing third party or internally hosted code I've drafted a quick explanation here: https://teamross.etherpad.mozilla.org/13

The Blue State Digital platform code can be found at https://donate.mozilla.org/page/event/create

We're having trouble deploying our code at the moment but it will live at (for dev) make-dev.mozillalabs.com. Our github repo is at https://github.com/rossbruniges/make.mozilla.org

Hope this information is useful, any further questions please let me know.

Comment 9

[Ben Simon]

Hey Curtis et al - 

here's the functionally complete (though still fixing some final bugs from QA) events site: 
 
https://make-dev.mozillalabs.com/en-US/events/

Comment 10

[Ben Simon]

Heads up that this is basically code complete and through legal/privacy review. We're planning to soft-launch very soon, once it's pushed to production.

Please let us know if there's any need to hold.

Comment 11

[David Ascher (:davida)]

FYI: domain is webmaker.org, cturra is on ops duty, and working w/ Ryan to get a temporary cert until we can transfer webmaker.org to mozilla formally.

Comment 12

[Ben Simon]

Closing this out as I believe all sec review is finished here. Thanks all!