Closed
Bug 802692
Opened 12 years ago
Closed 11 years ago
SecReview: New Socorro webapp
Categories
(mozilla.org :: Security Assurance: Review Request, task, P3)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: laura, Assigned: amuntner)
References
()
Details
(Whiteboard: [secreview completed][start 2012-12-10][target 2012-12-19][score:36:medium])
We are replacing the current webapp for Socorro (crash-stats.mozilla.com) with a new version that is built on Playdoh/Django. - Who is/are the point of contact(s) for this review? Robert Helmer rhelmer@mozilla.com Laura Thomson laura@mozilla.com - Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Webapp that provides access to crash data including summary analysis and reporting. The initial version is intended to be functionally identical to the service at https://crash-stats.mozilla.com - Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: - Does this request block another bug? If so, please indicate the bug number https://bugzilla.mozilla.org/show_bug.cgi?id=788003 for staging - This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? As soon as possible. We cannot release any new features to crash-stats production until this is signed off. - To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? Yes. It supports the following goals: * Feature parity of Socorro on Django * Support for new hang data format in Socorro * Send an email to every user that crashes * Analysis of exploitable crashes * Publish a plan for tools-as-a-service offering for apps/marketplace - Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) - Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? No, but this service is used to make shipping decisions for those products - Are there any portions of the project that interact with 3rd party services? The project interacts with Bugzilla - Will your application/service collect user data? If so, please describe Yes, but this part of the code is not changing. The specific case that needs secreview is that sensitive user data is exposed through the UI only to users who are logged in via LDAP, and have the appropriate LDAP bits set (raw dump access). That gives access to dumps, user emails, and the URLs on which the user crashed, as in the existing webapp. - Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. Any time from Monday October 22 onwards. I see there are slots on Wednesday October 24 and Friday October 26. Either of these would work for us. The new webapp is currently available at http://crash-stats-new-dev.allizom.org/ and requires MPT VPN to view it.
Updated•12 years ago
|
Whiteboard: [pending secreview] → [pending secreview][triage needed]
Updated•12 years ago
|
Assignee: nobody → amuntner
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Please risk rank this bug and set it's expected dates
Flags: needinfo?(amuntner)
Assignee | ||
Comment 2•12 years ago
|
||
I'm working with Robert Helmer on this, he's getting my accounts provisioned so I can login and take a look.
Flags: needinfo?(amuntner)
Reporter | ||
Comment 3•12 years ago
|
||
How's this going?
Updated•12 years ago
|
Flags: needinfo?(amuntner)
Assignee | ||
Updated•12 years ago
|
Flags: needinfo?(amuntner) needinfo?(amuntner) → needinfo-
Reporter | ||
Comment 4•12 years ago
|
||
Could we please get a status update here?
Updated•12 years ago
|
Flags: needinfo?(amuntner)
Assignee | ||
Comment 5•12 years ago
|
||
Laura, I have everything I need in place for the test.
Flags: needinfo?(amuntner)
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start 2012-11-19][target 2012-11-21]
Reporter | ||
Comment 6•12 years ago
|
||
How did you go?
Updated•12 years ago
|
Flags: needinfo?(amuntner)
Reporter | ||
Comment 7•12 years ago
|
||
This was supposed to be complete by 11/21. Can you please advise the outcome?
Assignee | ||
Comment 8•12 years ago
|
||
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 3 (P3) - Overall Mozilla Quarterly Goal Operational: 4 - Critical User: 0 - N/A Privacy: 2 - Normal Engineering: 3 - Major Reputational: 3 - Major Priority Score: 36
Flags: needinfo?(amuntner)
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start 2012-11-19][target 2012-11-21] → [pending secreview][start 2012-11-19][target 2012-11-21][score:36:Medium]
Assignee | ||
Updated•12 years ago
|
Priority: -- → P3
Assignee | ||
Comment 9•12 years ago
|
||
laura, i had to put this test on hold temporarily due to other testing priorities. I'm currently triaging my entire bug list to reschedule my existing projects and will fit yours in near the top.
Priority: P3 → --
Whiteboard: [pending secreview][start 2012-11-19][target 2012-11-21][score:36:Medium] → [pending secreview][start 2012-11-19][target 2012-11-21]
Assignee | ||
Updated•12 years ago
|
Priority: -- → P3
Whiteboard: [pending secreview][start 2012-11-19][target 2012-11-21] → [pending secreview][start 2012-11-19][target 2012-11-21][score:36:medium]
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start 2012-11-19][target 2012-11-21][score:36:medium] → [pending secreview][start 2012-12-10][target 2012-12-14][score:36:medium]
Assignee | ||
Comment 11•12 years ago
|
||
Laura, I'll have the review completed and bugs entered today.
Flags: needinfo?(amuntner)
Assignee | ||
Comment 12•12 years ago
|
||
laura, I'm still wrapping up testing and need to take a sick day today - I'll be able to wrap it up tomorrow.
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start 2012-12-10][target 2012-12-14][score:36:medium] → [pending secreview][start 2012-12-10][target 2012-12-19][score:36:medium]
Assignee | ||
Comment 13•12 years ago
|
||
Logged in through Persona, I get the message that "You logged in as amuntner@mozilla.com but you don't have sufficient privileges." Is there a way I can get privileges temporarily?
Flags: needinfo?(laura)
Reporter | ||
Comment 14•12 years ago
|
||
Yes, file a bug under Server Ops Account Requests, and cc me.
Flags: needinfo?(laura)
Comment 15•12 years ago
|
||
(In reply to Adam Muntner :adamm from comment #13) > Logged in through Persona, I get the message that > > "You logged in as amuntner@mozilla.com but you don't have sufficient > privileges." > > Is there a way I can get privileges temporarily? (In reply to Laura Thomson :laura from comment #14) > Yes, file a bug under Server Ops Account Requests, and cc me. BTW Adam we did allow access to a test account - amuntner+id1@mozilla.com - let me know if that works for you, then you don't need to file a server ops bug and have them modify your ldap settings (which we'd then have to undo, etc)
Reporter | ||
Comment 16•12 years ago
|
||
Is this done? We *really* need to move this forward ASAP.
Flags: needinfo?(amuntner)
Assignee | ||
Comment 17•12 years ago
|
||
Laura, I am done with the review. I added a new bug, 825997 Let me know how I can continue to assist in getting this one resolved.
Flags: needinfo?(amuntner)
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start 2012-12-10][target 2012-12-19][score:36:medium] → [secreview completed][start 2012-12-10][target 2012-12-19][score:36:medium]
Comment 18•11 years ago
|
||
(In reply to Adam Muntner :adamm from comment #17) > Laura, > > I am done with the review. I added a new bug, 825997 > > Let me know how I can continue to assist in getting this one resolved. Anything left to do or can we resolve this one?
Assignee | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•