751661 - Mozillians Phonebook API: Security Review

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance: Review Request, task, P4)

Description

[Aakash Desai [:aakashd]]

1. Who is/are the point of contact(s) for this review?
Timothy Watts, James Socol and Aakash Desai

2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

Phonebook information needs to be more widely available to other mozilla.org sites. The "Services" feature in the app aims to make Mozillian Phonebook profiles to be the one-stop-shop for contributor profiles within the Mozilla Project. 

Standard use cases: https://mozillians.etherpad.mozilla.org/phonebook-data-use

3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

https://wiki.mozilla.org/Mozillians/Releases/1.5/Services

4. Does this request block another bug? If so, please indicate the bug number

No, but it does block the release of the Taskboard app which will use the API. 
https://wiki.mozilla.org/Mozillians/TaskBoard

5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

We'd like to release the API in the 3rd or 4th week of May.

6. To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list?  If so, which goal?

Yes, by Contributor Engagement and Webdev:

https://intranet.mozilla.org/2012Q2Goals#Contributor_Engagement 

7. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
7a. Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

No

7b. Are there any portions of the project that interact with 3rd party services?

Yes.

7c. Will your application/service collect user data? If so, please describe 

Yes. It's a Phonebook app, so the profile fields are many and of a large variety:

* First/Last Name
* IRC Nickname
* E-mail(s)
* Website/Blog
* Profile Photo
* Location
* Groups
* Skills
* Bio/Description

8. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Nothing. We're looking to tap into many mozilla.org properties other than Community Tools. The 1st set will the Mozilla Reps portal and Bugzilla.

9. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

In the next week or two. rforbes and yvan.

Comment 1

[Aakash Desai [:aakashd]]

Even though I filed the bug, the real point of contact here will be jsocol (James Socol) as the primary and timw (Timothy Watts) as a secondary.

Comment 2

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Privacy Review: https://wiki.mozilla.org/Privacy/Reviews/PhonebookAPI

Comment 3

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 2 (P4) - Team Quarterly Goal

Operational: 0 - N/A
User: 0 - N/A
Privacy: 2 - Normal
Engineering: 1 - Minor
Reputational: 5 - Blocker

Priority Score: 21

Comment 5

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

From Bug799140 Comment 0 (which was closed as duplicate)
Ben (:bensternthal)

We would like a security review of the 1.0 release of the Mozillians API. 

Our current live date is November 19 and we think the sec review can happen between 11/5 - 11/16. This is an initial release of a Mozillian API  and the sec review is a launch dependency.


==================================================

Who is/are the point of contact(s) for this review?

Product owner - Aakash Desai
Developers - Giorgos Logiotatidis / Andrei Hajdukewycz
TPM - Benjamin Sternthal
    
Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

An API for Mozillian Data. 
Wiki: https://wiki.mozilla.org/Mozillians
API Spec: https://wiki.mozilla.org/Mozillians/API-Specification (DRAFT)
    
  
Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

This request blocks the launch of the application. https://bugzilla.mozilla.org/show_bug.cgi?id=752997

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

This project only affects the Mozillians application.

Are there any portions of the project that interact with 3rd party services?

No

Will your application/service collect user data? If so, please describe 

No, the API exposes user data entered into mozillians, privacy controls will be added to the app as part of the project. Stacy & Tom reviewed the project via email and approved on  9/4.

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size)

Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

We have the sec review schedules for 11/5 - 11/16.

Comment 6

[Ben (:bensternthal)]

Date Update

Code is currently on stage, we are still targeting 11/19 launch.

Comment 7

[Ben (:bensternthal)]

A bit of triage:

Adding note from email conversation 11/19/2012

Yvan gave us the go-ahead to launch as he did not find any blockers.

If Yvan has completed review we should close out this one,

Comment 8

[Ben (:bensternthal)]

Can we close this one out?

Comment 9

[Yvan Boily [:ygjb][:yvan]]

Yes, this was completed a long time ago.