Closed Bug 786836 Opened 7 years ago Closed 7 years ago

Create flag 'sec-approval' flag

Categories

(bugzilla.mozilla.org :: Administration, task)

Production
x86
macOS
task
Not set

Tracking

()

VERIFIED FIXED

People

(Reporter: abillings, Assigned: dveditz)

Details

Please create a new flag, 'sec-approval'with ?, +, and - states.

If there is any way to restrict this to bugs in the core-security group, that would be wonderful. Otherwise, just create it across the board.

This is for tracking security bug landings (and approving them) per discussion in dev.planning and dev.security.
(In reply to Al Billings [:abillings] from comment #0)
> Please create a new flag, 'sec-approval'with ?, +, and - states.
> 
> If there is any way to restrict this to bugs in the core-security group,
> that would be wonderful. Otherwise, just create it across the board.
> 
> This is for tracking security bug landings (and approving them) per
> discussion in dev.planning and dev.security.

Currently we can restrict the setting of states to certain groups but not filter the display of the flags based on group membership of a bug. So it would have to be visible in bugs regardless of their groups. We can however only display the flag for any combination of product/component. Which would be preferable as we have some products where we would not necessarily want the flag to shup such as 'Bugzilla', etc.

We can definitely create this flag for you. Couple things I will need are a brief description of the flag for display on mouseover and lastly a list of products for it to be visible for (or what not be visible for).

I see that we have a 'sec-review' flag already which we could just copy everything except for the description and the group that can grant the flag (+ or -). Would that work?

dkl
I'm not sure what products or components sec-review covers. I know we use it for web products, which we do not need sec-approval on. sec-approval is for Firefox, Thunderbird, and Core platform bugs. 

Looking at other flags, I don't see how to trigger mouseover. I never see any mouseover text normally on any of the Tracking or Project flags that I see.
(In reply to Al Billings [:abillings] from comment #2)
> I'm not sure what products or components sec-review covers. I know we use it
> for web products, which we do not need sec-approval on. sec-approval is for
> Firefox, Thunderbird, and Core platform bugs. 

Ok. I will create it and enable it for the products that are not web-related.

> Looking at other flags, I don't see how to trigger mouseover. I never see
> any mouseover text normally on any of the Tracking or Project flags that I
> see.

Admittedly it is not ultra-obvious (should file a bug for that) but if you mouse over the name of the flag in the list of flags on the right side, it shows a tooltip with the flags longer description.

dkl
You can tooltip it "Security Approval for landing" then.
Ok I have created the new sec-approval flag:

name: sec-approval
description: Security approval for landing
grant group: core-security
request group: anyone
products visible:
Core
Firefox
Firefox for Android
Thunderbird

Let me know if any changes need to be made.

dkl
Assignee: nobody → dkl
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
We aren't seeing this flag when we looked today.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Which product is the bug you are not seeing the flag? Currently the sec-approval flag is only viewable for

Core
Firefox
Firefox for Android
Thunderbird

dkl
Never mind. We were expecting it as a patch flag and looked in the wrong place. We're having a debate about keeping it as a bug level flag so there is nothing to change right now.
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
Moved this from a bug flag to an attachment flag. It's available on the client products

  Boot2Gecko
  Calendar
  Core
  Core Graveyard (just in case)
  Fennec
  Firefox
  Firefox for Android
  Mailnews Core
  Mailnews Core Graveyard
  Thunderbird
  Toolkit
  Toolkit Graveyard

The approval grant group is currently core-security, but maybe it should be some release-driver triage group instead (e.g. the esr10 approval flag is restricted to mozilla-next-drivers).

There's currently no request text. I know we want that so I'll leave the bug open until Al and/or Alex tells me what you want there.
Assignee: dkl → dveditz
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
In order for this to work as expected, there needs to be an hg hook that looks for sec-approval=whoever for bugs that are not public.

It isn't a matter of working on the "honor system," but rather people will forget about this policy, and there will be people that never learn this policy until it is too late, and there will be people that don't adjust their commit message to remove sensitive information, even if they remember the policy.

(In reply to Daniel Veditz [:dveditz] from comment #9)
> The approval grant group is currently core-security, but maybe it should be
> some release-driver triage group instead (e.g. the esr10 approval flag is
> restricted to mozilla-next-drivers).

Rather have it be core-security, because release drivers have their own flags.
Please reopen (or open new bug) if there is anything left to do here on the BMO end.
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
All good.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.