Closed Bug 744915 Opened 12 years ago Closed 11 years ago

Secreview of B2G App Security Model


( :: Security Assurance: Review Request, task, P2)


(Not tracked)

Due Date:


(Reporter: curtisk, Assigned: curtisk)




(Whiteboard: [pending secreview] [start 04/18/2012][target ??/??/2012][score:76::High])

Who is/are the point of contact(s) for this review?
Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

Are there any portions of the project that interact with 3rd party services?

Will your application/service collect user data? If so, please describe 

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Desired Date of review (if known from and whom to invite.
One thing - I am currently driving the development of the security model, and I am also the reviewer, is this appropriate?
Whiteboard: [pending secreview] → [pending secreview] [start 04/18/2012][target 05/09/2012]
I think it is fine for now, but we will likely want to get input from a wider audience as it firms up. We can do that with the team as a group to validate any assumptions or thinking as this moves forward.
Assignee: ptheriault → nobody
Component: Security Assurance: Review Needed → General
Product: → Boot2Gecko
QA Contact: security-assurance → general
Target Milestone: --- → DeveloperPhone
Version: other → unspecified
Assignee: nobody → ptheriault
This review should probably be combined with bug 749379. (Implmentation of the permission manager). 

But is pretty close to final for V1 I think, so we might want to kick this one off soon?
I have made this bug block 758652 as this is basically the implementation of the App Security Model.

The permissions manager is a related bug as well 707625.
Blocks: 758652
Whiteboard: [pending secreview] [start 04/18/2012][target 05/09/2012] → [pending secreview] [start 04/18/2012][target ??/??/2012]
I don't understand what this bug is. It sounds like a meta-bug to implement a B2G security model, however bug 764189 is exactly that and is currently much more complete.
Summary: B2G App Security Model → Secreview of B2G App Security Model
This is the tracking bug for the security team to review the implementation of the app security model, ie bug 764189. But I guess you worked that out form the title change.

I understand there is a lot of work being done this week for this - can we perhaps conduct an initial security at the end of the week while it is fresh in everyone's mind?
Assignee: ptheriault → nobody
Component: General → Security Assurance: Review Request
Product: Boot2Gecko →
Target Milestone: DeveloperPhone → ---
Version: unspecified → other
Work on the implementation is ongoing (bug 764189).
Priority: P1 → P2
This needs to be a team review so I am taking it
Assignee: nobody → curtisk
Risk/Priority Ranking Exercise

Priority: 4 (P2) - Mozilla Initiative

Operational: 0 - N/A
User: 5 - Blocker
Privacy: 4 - Critical
Engineering: 5 - Blocker
Reputational: 5 - Blocker

Priority Score: 76
Severity: normal → blocker
Whiteboard: [pending secreview] [start 04/18/2012][target ??/??/2012] → [pending secreview] [start 04/18/2012][target ??/??/2012][score:76::High]
Due Date: 2012-11-30
Paul, any idea on when we might have this in a state where it is ready to review?
Flags: needinfo?(ptheriault)
At the time when I created this bug, the app security model was basically the permissions model. The permission model is now finalised, based upon a review that happened about 3 weeks ago with Jonas, Lucas and security team reps (David, Raymond & myself). The output was the fianlised permission model here:

There was some updates to bring implementation inline with design, tracked here:

Technically, an "App Security Model" includes other aspects (udates, delivery, installation etc) but these aspects are being tracked in other specific reviews so I think we can probably close this.
Closed: 11 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.