924258 - New IT/WebOps component for SSL and domain registration

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: Administration, task)

Description

[Jake Maul [:jakem]]

We'd like to create a new component in the "Infrastructure & Operations" product.

Name: WebOps: SSL and Domain Names

Desc: Any bugs regarding the acquisition, renewal, or transfer of domain names or SSL certificates. For formatting requirements, please see https://mana.mozilla.org/wiki/display/IT/WebOps%3A+SSL+and+Domain+Names.

default QA should be me (nmaul@mozilla.com)

default owner should be server-ops-webops@mozilla-org.bugs

All new bugs that get created in this component should be marked as "Confidential Mozilla Corporation Bug". The reason for this is that it will be a target for domain squatters to look for incoming bugs and buy them before we can. Not all bugs in here will need to be confidential, but I can't think of a good way to programmatically determine which ones need the flag and which don't, so for now this seems like the safer option. If or when we get a better IT Request form, we could loosen this restriction and have the form do the right thing.

... I think that's everything? Let me know if you need any additional info.

Thanks!


(PS: If you think it useful, we could use a URL shortener on that link in the description... I don't have a strong preference. Eventually the requirements therein will be enforced by a proper form, just like the MoCo Confidential group thing.)

Comment 1

[David Lawrence [:dkl]]

(In reply to Jake Maul [:jakem] from comment #0)
> We'd like to create a new component in the "Infrastructure & Operations"
> product.
> 
> Name: WebOps: SSL and Domain Names
> 
> Desc: Any bugs regarding the acquisition, renewal, or transfer of domain
> names or SSL certificates. For formatting requirements, please see
> https://mana.mozilla.org/wiki/display/IT/WebOps%3A+SSL+and+Domain+Names.
> 
> default QA should be me (nmaul@mozilla.com)
> 
> default owner should be server-ops-webops@mozilla-org.bugs
> 
> All new bugs that get created in this component should be marked as
> "Confidential Mozilla Corporation Bug". The reason for this is that it will
> be a target for domain squatters to look for incoming bugs and buy them
> before we can. Not all bugs in here will need to be confidential, but I
> can't think of a good way to programmatically determine which ones need the
> flag and which don't, so for now this seems like the safer option. If or
> when we get a better IT Request form, we could loosen this restriction and
> have the form do the right thing.

This will be an issue as we cannot currently enforce privacy on the component level, only the product level. 
So we would need to either introduce a hack on the BMO code or move this to it's own high level product so 
we can enforce privacy. I don't think we have had to do the former yet to this point and would be the less
preferable. We could add to the component description advising the reporter to check the sensitive checkbox
at the bottom but not sure if we could trust users to do that.

glob, any other ideas other than creating a separate product? Sounds like the best way to go so far.

dkl

Comment 2

[Jake Maul [:jakem]]

Hmm.... okay, let's ignore that requirement then. It's not a huge problem, just something I was hoping to account for with no additional effort. I think we can get away without it. The people who typically file these bugs are aware of the need for temporary secrecy, and generally set the right flag themselves. Honestly it's a problem that is largely theoretical... it's only happened a couple times in several years, and we have hundreds of domains.

I'd definitely prefer that to having a totally separate product just for this one thing. :)

Comment 3

[David Lawrence [:dkl]]

Done