Closed Bug 810472 Opened 9 years ago Closed 9 years ago

security review of release kickoff system

Categories

(mozilla.org :: Security Assurance: Review Request, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Due Date:

People

(Reporter: bhearsum, Assigned: curtisk)

References

()

Details

(Whiteboard: [pending secreview][start 2012-11-09][target 2012-11-30][score:8:low][blocks:m.o/releng automation (rel automation)])

Per our meeting last week, we need to do a security review of this system. I can't recall if we wanted to do that now or when it's closer to completion, but either way is fine for us. I've also got it on my list to make a list of all the servers+ports that the system talks to. Do you want that here or elsewhere?
1) Who is/are the point of contact(s) for this review?
2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4) Does this request block another bug? If so, please indicate the bug number
5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list?  If so, which goal?
7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
7b) Are there any portions of the project that interact with 3rd party services?
7c) Will your application/service collect user data? If so, please describe
8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Flags: needinfo?(bhearsum)
Whiteboard: [pending secreview][needs info][triage needed]
(In reply to Curtis Koenig [:curtisk] from comment #1)
> 1) Who is/are the point of contact(s) for this review?

Ben Hearsum, Rail Aliiev

> 2) Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):

Release Kickoff is a system that automates the manual steps that RelEng currently does to do a Beta, Final, or ESR release. For now, it's intended to make our jobs easier when given a go to build. Since we're only acting as middle-people right now, eventually we want it to be a turnkey system that Release Management can use to initiate their own releases.

> 3) Please provide links to additional information (e.g. feature page, wiki)
> if available and not yet included in feature description:

https://etherpad.mozilla.org/ReleaseKickOff

> 5) This review will be scheduled amongst other requested reviews. What is
> the urgency or needed completion date of this review?

We'd like to have this running in production, limited to RelEng, by mid-December.

> 6) To help prioritize this work request, does this project support a goal
> specifically listed on this quarter's goal list?  If so, which goal?

Not explicitly. But it does fall under "ship releases as usual" (https://intranet.mozilla.org/2012Q4Goals#Release_Engineering, which links to https://releng.etherpad.mozilla.org/releng-priorities).

> 7a) Does this feature or code change affect Firefox, Thunderbird or any
> product or service the Mozilla ships to end users?

Not directly. This system is automating existing manual steps -- we're not making any changes to the process though.

> 7b) Are there any portions of the project that interact with 3rd party
> services?

No. The system only talks with other internal systems.

> 7c) Will your application/service collect user data? If so, please describe

N/A.

> 9) Desired Date of review (if known from
> https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html)
> and whom to invite.

Any of the 10am Thursday/Friday slots are probably OK. Not sure if we need to wait until the code is closer to finished though (eg, we don't have CSRF protection implemented yet).
Flags: needinfo?(bhearsum)
We can review before we can have dependent testing bugs that can confirm and check once code is complete. How about Nov-15 or Nov-16?
Flags: needinfo?(bhearsum)
Whiteboard: [pending secreview][needs info][triage needed] → [pending secreview][triage needed]
The 15th should be fine. Rail will be attending too, and maybe Chris AtLee.
Flags: needinfo?(bhearsum)
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 2 (P4) - Team Quarterly Goal

Operational: 1 - Minor
User: 0 - N/A
Privacy: 0 - N/A
Engineering: 1 - Minor
Reputational: 1 - Minor

Priority Score: 8
Assignee: nobody → curtisk
Status: NEW → ASSIGNED
Component: Security Assurance: Applications → Security Assurance: Review Request
Whiteboard: [pending secreview][triage needed] → [pending secreview][start 2012-11-09][target 2012-11-30][score:8:low]
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [pending secreview][start 2012-11-09][target 2012-11-30][score:8:low] → [pending secreview][start 2012-11-09][target 2012-11-30][score:8:low][blocks:m.o/releng automation (rel automation)]
Review complete:https://wiki.mozilla.org/Security/Reviews/ReleaseKickOffSys
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.