Closed Bug 897454 Opened 8 years ago Closed 8 years ago

SecReview: Simple Push Server

Categories

(mozilla.org :: Security Assurance: Review Request, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: psiinon, Assigned: curtisk)

Details

(Whiteboard: [qa-])

1) Who is/are the point of contact(s) for this review?
2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4) Does this request block another bug? If so, please indicate the bug number
5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list?  If so, which goal?
7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
7b) Are there any portions of the project that interact with 3rd party services?
7c) Will your application/service collect user data? If so, please describe
8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
OS: Linux → All
Hardware: x86_64 → All
Flags: needinfo?(jrconlin)
> 1) Who is/are the point of contact(s) for this review?
jrconlin@mozilla.com

> 2) Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):
SimplePush is a remote "wake up" protocol to allow third party servers to send minimal content messages to remote devices.

> 3) Please provide links to additional information (e.g. feature page, wiki)
> if available and not yet included in feature description:
principal document:
https://wiki.mozilla.org/WebAPI/SimplePush

protocol spec:
https://wiki.mozilla.org/WebAPI/SimplePush/Protocol

> 4) Does this request block another bug? If so, please indicate the bug number
No.

> 5) This review will be scheduled amongst other requested reviews. What is
> the urgency or needed completion date of this review?

> 6) To help prioritize this work request, does this project support a goal
> specifically listed on this quarter's goal list? 
This project is part of a previous set of goals and is requested for re-review since the protocol has been modified.

> 7) Please answer the following few questions: (Note: If you are asked to
> describe anything, 1-2 sentences shall suffice.)
> 7a) Does this feature or code change affect Firefox, Thunderbird or any
> product or service the Mozilla ships to end users?
This is a back-end service used by Firefox.

> 7b) Are there any portions of the project that interact with 3rd party
> services?
Yes, third parties are provided an endpoint URL which they can use to PUT numeric version number updates.

> 7c) Will your application/service collect user data? If so, please describe
No. No user data will be collected.

> 8) If you feel something is missing here or you would like to provide other
> kind of feedback, feel free to do so here (no limits on size):
While the protocol is fairly open, we've done everything we can to make it as useless to attack as possible. That said, we're very close to this so we may not be spotting an obvious flaw or issue. We'd love to have feedback from y'all.

> 9) Desired Date of review (if known from
> https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html)
> and whom to invite.
By Aug 02, 2013. 
invite: 
rtilder@mozilla.com
sbennetts@mozilla.com
oremj@mozilla.com
Flags: needinfo?(jrconlin)
Simon / JR - Is this the same as this https://wiki.mozilla.org/Security/Reviews/SimplePush
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][triage needed] → [start yyyy-mm-dd][target yyyy-mm-dd][triage needed]
Component: Web Services → Security Assurance: Review Request
Product: Core → mozilla.org
Version: unspecified → other
simon do we need to do a group review on this or are you asking for a second individual review for a second set of eyes?
Flags: needinfo?(sbennetts)
I raised this for JR :)
Think this is a retest request due to significant functional changes.
Flags: needinfo?(sbennetts) → needinfo?(jrconlin)
(In reply to Simon Bennetts [:psiinon] from comment #5)
> I raised this for JR :)
> Think this is a retest request due to significant functional changes.

So does this need a full review again or do we just need to rerun testing?
What is a good date fro review of this?
Assignee: nobody → curtisk
Whiteboard: [start yyyy-mm-dd][target yyyy-mm-dd][triage needed] → [start yyyy-mm-dd][target yyyy-mm-dd]
Sorry for the late reply. The code is currently stable, so any date (other than a Weds) works fine for me. 

Hopefully, this is one of the times that I can help make your life easier.

Do you want me to fill out the etherpad for the review?
Flags: needinfo?(jrconlin)
How about Mon 4-Nov-2013 at 1pm PST?
Status: NEW → ASSIGNED
Flags: needinfo?(jrconlin)
Works for me. Mon @ 1300PST.
Flags: needinfo?(jrconlin)
Etherpad: https://etherpad.mozilla.org/secreview
Wiki for final notes: https://wiki.mozilla.org/Security/Reviews/SimplePushSrv

JR if you want to put stuff in the etherpad ahead of the meeting then please do
Flags: needinfo?(jrconlin)
Whiteboard: [qa-]
https://wiki.mozilla.org/Security/Reviews/SimplePushSrv
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jrconlin)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.