884347 - SecReview for tooltool

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Simone Bruno [:simone]]

Dustin Mitchell pointed out in Bug 772200 the necessity of a security review of tooltool.

Tooltool (https://wiki.mozilla.org/ReleaseEngineering/Tooltool) is used to manage the download of binary artifacts used in several build processes, and (afaik) the code has never been reviewed by the Security Assurance Team.

The review should encompass the existing codebase (https://github.com/mozilla/build-tooltool) and, more importantly, the proposed changes described in Bug 772190.

Dustin Mitchell will be available to discuss server-side issues, and I will be the releng point of contact for the client part and the implementation of the new changes.

Comment 1

[Frederik Braun [:freddy]]

Simone, please answer these questions for the security review to proceed:

Who is/are the point of contact(s) for this review?
Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
Does this request block another bug? If so, please indicate the bug number
This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

    Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
    Are there any portions of the project that interact with 3rd party services?
    Will your application/service collect user data? If so, please describe 

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Comment 2

[Simone Bruno [:simone]]

After speaking with Frederik, here some additional information (as requested).
(This info has been kindly provided by rail, thanks!)

1) What kind of binaries are currently managed via tooltool? What are the relevant use cases?
Some of the use cases:
-  mac desktop builds use tooltool to download clang (compiler)
-  android builds use tooltool to download Android SDK/NDK
-  B2G builds use tooltool to download emulators

2) How are binaries uploads managed at the moment?

Usually tooltool uploads are done by a Releng person as a part of a particular bug (https://bugzilla.mozilla.org/show_bug.cgi?id=870173 for example) or by a buildduty person in case of emulator uploads (see
https://wiki.mozilla.org/ReleaseEngineering:Buildduty:Other_Duties#B2G_Emulator)

Comment 3

[Frederik Braun [:freddy]]

Sorry, it took me a while to understand how tooltool is used ;)
For the record: tooltool is present in everyone's mozilla central repo, i.e., in ./build/unix/build-clang/tooltool.py
Manifests are in ./browser/config/tooltool-manifests (among others) and pulls in binaries to setup the build environment.

I think we are done here :)
Please address the bugs blocking this review.

Comment 4

[Joe Stevensen [:joe]]

Re-opening bug to perform an OpSec review.

Comment 5

[Joe Stevensen [:joe]]

Tooltool docs: https://mana.mozilla.org/wiki/display/IT/Tooltool
RelEng PoC: Dustin

Comment 7

[Julien Vehent]

Risk review & security needs in https://mana.mozilla.org/wiki/display/IT/Tooltool#Tooltool-Security

Comment 8

[Julien Vehent]

The opsec review is done on this. Puppet module has been reviewed in https://bugzilla.mozilla.org/show_bug.cgi?id=930029#c19.

r+, good to go.