Closed Bug 793148 Opened 12 years ago Closed 9 years ago

Set up a good process for updating Hacks plugins regularly

Categories

(Developer Engagement :: Mozilla Hacks, task)

Product:
Developer Engagement
Component:
Mozilla Hacks
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: robert, Unassigned, NeedInfo)

References

(Blocks 4 open bugs)

Details

Seeing that 5 plugins have been waiting for update a while (where 4 of them are activated) at Mozilla Hacks - https://hacks.mozilla.org/wp-admin/plugins.php?plugin_status=active - I'm trying to learn more about the process.

I assume they go through security audits and such, but in general:

- Who does these audits?
- What's a normal time to wait?
- Is there a schedule for this?
Still no updated plugins. I need to know how this works, and on what schedule.
Thanks.
Security reviews are done by the Web App Security team, and they need to review any new plugins you wish to add. The current hacks site predates the security procedures so I don't know if the current collection of plugins have been reviewed at all.

As with most things, wait time depends on the team's workload and the urgency of need, as well as the complexity of the code to review. Sometimes a review can be done within a few hours, sometimes it can take a few weeks. File a bug and they'll assign it and can usually give some kind of estimate at that point.

More info at https://wiki.mozilla.org/WebAppSec/Security_Review_Request. Be sure to use the bugzilla shortcut link on that page for review requests so the folks watching the proper components will see it.

There is no regular schedule for WordPress plugin updates as far as I know, but someone from IT could correct me on that. I know for blog.mozilla.org it's semi-regular and mostly handled by IT via externals in Subversion, but hacks is a separate entity and may not get any upgrades unless you ask for them.
Hi, I do a lot of the security reviews for WordPress plugins. I don't currently have any assigned to me, so if you could link me to the bug numbers, I'd be happy to expedite them. As craigcook mentioned, they should have been filed using the Security Review Request which will get them to our team the quickest.
Thanks for the clarification!
I was under the impression that they were monitored and update automatically.

I'll file bugs accordingly, and CC!
I've been assigned to all of those bugs. I'm going to use this bug as a tracker for them so you can see them all/how many are complete.

This might take a week or so as I have some other more critical reviews ahead of these, but I'll do my best to go through them quickly.

Thanks,
Matt
Depends on: 800812, 800809, 800810, 800813, 800807, 800806
Thanks Matt!
Good to know, and now I know the process as well!
:mfuller: What is the status of the sec reviews on these three plugins?
Depends on: 809466
Flags: needinfo?(mfuller)
Summary: Who updates plugins for Mozilla Hacks, and what's the schedule? → Set up a good process for updating Hacks plugins regularly
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
I saw that parts of Hacks were recently updated. Awesome! Could we call this bug resolved? Who should own the work of keeping Hacks plugins up to date in the future?
Flags: needinfo?(nmaul)
Flags: needinfo?(jstevensen)
There are a couple of things needed to do this effectively.

1. we need to catalog/inventory what wp plugins are installed and where
2. we need a way to push updated plugins to wp installations

On the OpSec side, we've been creating some tools to help with item #1. Let me ping Michael Henry to see where we are on this.
Flags: needinfo?(jstevensen)
Flags: needinfo?(mhenry)
Right, anything that we can do to make sure this happens on a needed and regular basis. So I'd say this bug is about establishing that process, so we don't need to file new bugs as soon as a plugin is updated etc.
Currently we have 6 plugins waiting for an update, and they've been there a while: https://hacks.mozilla.org/wp-admin/plugins.php?plugin_status=upgrade
Sorry for the delay on this.  I've been out on medical leave for two broken wrists.

I can get a list of installed plugins on the system (ie - not from wordpress) and their versions regardless if they are enabled or not.

It appears in Comment 11 that there are plugins are are out of date?  What do we need to get them updated?  Is this a job for webops?
Flags: needinfo?(mhenry)
Sorry let me rephrase my previous comment.

I can provide a list of plugins on that host/website that is gathered independently from wordpress.  I have a hack of a script that can tell if those plugins are out of date.  Not sure what the most effective solution is from this point? 

Could email when an out of date plugin is detected?

Who is responsible for updating plugins currently?  Pardon if it's already stated above, but I want to ask and be sure as this is an old bug.
Welcome back, Michael!
Short answer is: I have no idea who's responsible, if anyone actually is. That's what I'd like to find out, a good process for this. If your script can check that and can notify a person assigned to that, who will then update the plugins, then we should be all good (and preferably I'd know who that person is, so i can reach out if needed).
Jake,

We can update plugins, and pull you in if/when we run into issues. Does this sound good to you? If not, can WebOps put together an alternative update process?
Blocks: 805595
Blocks: 804528
Blocks: 804527
May I ask if there is a reason why we can't roll hacks into blog.mozilla.org via wordpress-mu?

Would reduce the support burden and attack surface of maintaining multiple wordpress instances.
Blocks: 811473
This was indeed rolled into blog.mozilla.org late last year, which has since migrated to WPEngine. Closing this out as fixed (in a roundabout way).
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(nmaul)
Resolution: --- → FIXED
Product: Mozilla Developer Network → Developer Engagement
You need to log in before you can comment on or make changes to this bug.