910029 - Security Review: Autoland

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Rail Aliiev [:rail]]

Initial Questions:

Project/Feature Name: Autoland
Tracking  ID:657828
Description:
Autoland is a system that scans bugzilla for changes made by authorized people, and reflects those changes into hg.  It interacts with the releng try system to "try" patches and with hg to "land" them into various trees.


Additional Information:
https://mana.mozilla.org/wiki/display/IT/Autoland

Dev branch location: https://github.com/rail/build-autoland/tree/v2 (v2 branch)
Key Initiative: Firefox/Firefox OS
Release Date: 2013-10-23
Project Status: development
Mozilla Data: Yes
Mozilla Related: Bugzilla, LDAP, treestatus.mozilla.org,  hg.mozilla.org, celery cluster (?), Build API, 
Separate Party: No

Security Review Questions:

Affects Products: Yes
Review Due Date: 2013-09-27
Review Invitees: mgervasini@mozilla.com, catlee@mozilla.com
Extra Information:
The initial code (master branch) has been sec reviewed at some point. Since then we decided to simplify the code, switch to Celery as a framework for distributed computing.

Additionally we plan to use message signing (see http://docs.celeryproject.org/en/latest/userguide/security.html#message-signing for the details) to increase security.

Comment 1

[Chris AtLee [:catlee]]

Can we get this done soon please?

Comment 2

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

https://wiki.mozilla.org/Security/Reviews/Autoland

Comment 3

[Rail Aliiev [:rail]]

Thanks!