Closed Bug 736691 Opened 12 years ago Closed 12 years ago

Boot2Gecko is a full OS: therefore a full OS security model is required

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: lkcl, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.19) Gecko/20110430 Iceweasel/3.5.9 (like Firefox/3.5.9)
Build ID: 20100414091236




Expected results:

in reviewing https://wiki.mozilla.org/B2G_App_Security_Model the scope of the document explicitly excludes the B2G OS itself with the following statement:

  Non-goals

This document does not try to define the broader B2G security model, nor does it define the Open Web Apps security model even though we expect that B2G will contain a superset of the latter's requirements. 

this gives the impression that sorting out the security model of the whole OS is
unimportant, when it is in fact critical, fundamental and cannot be ignored.

the reason is very very simple: there is absolutely no way that security can be
implemented in userspace.  security has to be enforced right at the kernel level.

android got this right by creating a kernel-level security layer.  if B2G is to be
taken seriously, it has to do likewise.
Bugzilla is not intended for editorial comments, its an issue tracking system.

Please see: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
andreas: bugs are bugs. what would you recommend the correct wording is?  i do not have sufficient expertise in communication to describe what is required.  perhaps you could advise what the correct wording is?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Bug reports need to either report user-visible defects or concrete work items in Mozilla code.  This bug does neither; it makes a statement that's patently obvious.

When bug reports don't conform to those guidelines, they get closed INVALID, which is what Andreas did and I'm doing now, again.  Do not reopen this bug while it doesn't conform to those guidelines.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → INVALID
ok, then i will raise a bugreport 'a concrete work item is needed where Mozilla code gets written that makes the security of the full OS behind B2G a priority item'.

does that sound better to you?

if i don't hear from you i will assume that it's acceptable to raise such a bugreport.
That's again a statement, rather than a defect or work item.  Do not file.
then tell me what _is_ acceptable, and what warrants a work item that will result in the B2G project having work carried out on its full OS.

the defect is: there is no OS for B2G, and there is no security work being done on that OS.

the work item is: there needs to be work done on B2G's Operating System, specifically in the area of security.

please choose which one you would like me to raise, and i will raise it.

alternatively you may state, categorically and explicitly, that there will be *be* no work carried out in the area of security for the B2G Operating System, because, in your view, B2G is not an Operating System, and thus there is no security work required to be carried out.

which is it to be, chris?

please make your position absolutely clear, chris, so that this can move forward and be properly resolved.

so.  your options:

1) you can state that B2G is not an operating system, and that OS security is outside of the remit of the B2G team.

2) you can help clarify that there is a defect (missing code, missing Operating System on which B2G-the-application will run)

3) you can help clarify that there is a work item (create secure Operating System on which B2G-the-application will run)

please choose 1, 2 or 3, chris.  if you do not choose, or do not assist in making the decision, i will assume that 2) or 3) is acceptable and will raise a bugreport as best that i can, making sure that it is within the guidelines that you have told me that bugreports must adhere to.
(In reply to Chris Jones [:cjones] [:warhammer] from comment #5)
> That's again a statement,

no, it's a question.  which you've avoided answering.  please do answer the question.  thank you.
You need to log in before you can comment on or make changes to this bug.