Dustin Mitchell pointed out in Bug 772200 the necessity of a security review of tooltool. Tooltool (https://wiki.mozilla.org/ReleaseEngineering/Tooltool) is used to manage the download of binary artifacts used in several build processes, and (afaik) the code has never been reviewed by the Security Assurance Team. The review should encompass the existing codebase (https://github.com/mozilla/build-tooltool) and, more importantly, the proposed changes described in Bug 772190. Dustin Mitchell will be available to discuss server-side issues, and I will be the releng point of contact for the client part and the implementation of the new changes.
Assignee: nobody → fbraun
Simone, please answer these questions for the security review to proceed: Who is/are the point of contact(s) for this review? Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Are there any portions of the project that interact with 3rd party services? Will your application/service collect user data? If so, please describe If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
Whiteboard: [pending secreview] → [pending secreview][score:low]
After speaking with Frederik, here some additional information (as requested). (This info has been kindly provided by rail, thanks!) 1) What kind of binaries are currently managed via tooltool? What are the relevant use cases? Some of the use cases: - mac desktop builds use tooltool to download clang (compiler) - android builds use tooltool to download Android SDK/NDK - B2G builds use tooltool to download emulators 2) How are binaries uploads managed at the moment? Usually tooltool uploads are done by a Releng person as a part of a particular bug (https://bugzilla.mozilla.org/show_bug.cgi?id=870173 for example) or by a buildduty person in case of emulator uploads (see https://wiki.mozilla.org/ReleaseEngineering:Buildduty:Other_Duties#B2G_Emulator)
Whiteboard: [pending secreview][score:low] → [pending secreview][score:low][Web]
Sorry, it took me a while to understand how tooltool is used ;) For the record: tooltool is present in everyone's mozilla central repo, i.e., in ./build/unix/build-clang/tooltool.py Manifests are in ./browser/config/tooltool-manifests (among others) and pulls in binaries to setup the build environment. I think we are done here :) Please address the bugs blocking this review.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][score:low][Web] → [pending secreview][score:low]
Re-opening bug to perform an OpSec review.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Tooltool docs: https://mana.mozilla.org/wiki/display/IT/Tooltool RelEng PoC: Dustin
Risk review & security needs in https://mana.mozilla.org/wiki/display/IT/Tooltool#Tooltool-Security
The opsec review is done on this. Puppet module has been reviewed in https://bugzilla.mozilla.org/show_bug.cgi?id=930029#c19. r+, good to go.
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago → 5 years ago
Resolution: --- → FIXED
See Also: → bug 930029
You need to log in before you can comment on or make changes to this bug.