Closed Bug 947225 Opened 12 years ago Closed 11 years ago

SecReview: customized Bugzilla for Delphi, deployed on PaaS

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gerv, Assigned: amuntner)

Details

Mozilla has been awarded a grant to run a Delphi[0] on the topic of the future priorities for cybersecurity on the Net. This requires structured discussion. The platform for this discussion is going to be a customized Bugzilla instance that I call Delphinium. I plan to deploy it on the Stackato PaaS. The Delphi launches in January. Bugzilla needs customizing to provide participant pseudonymity, and to make it a lot simpler by hiding and removing options. This involves both template customization and skinning. There are two options for how to get to where we want to be code-wise: The first option is to base the deployment on an existing Bugzilla 4.0.4 customized for Stackato[1], and port the necessary patches to it for e.g. pseudonymity. The second option is to do the customizations on the current stable version of Bugzilla, 4.4, and port the Stackato customizations to that. For reference, BMO runs a highly customized Bugzilla 4.2, and used to run 4.0. 4.0 will go out of support when the next Bugzilla version is released, which won't be all that long now. There is no requirement that the site live forever - six months will probably be enough. (We don't want to kill it _immediately_ the Delphi is finished.) Please let me know what secreview, if any, would be required for the two options. Bugzilla itself, of course, must have received the necessary reviews as it's been deployed for a long time. Thanks, Gerv [0] http://en.wikipedia.org/wiki/Delphi_method [1] https://github.com/Stackato-Apps/bugzilla
1) Who is/are the point of contact(s) for this review? 2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): 3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: 4) Does this request block another bug? If so, please indicate the bug number 5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? 6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? 7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) 7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? 7b) Are there any portions of the project that interact with 3rd party services? 7c) Will your application/service collect user data? If so, please describe 8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): 9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Flags: needinfo?(gerv)
Whiteboard: [pending secreview] → [triage needed]
(If all of these questions are standard, perhaps they should be included in the templated linked to from here: https://wiki.mozilla.org/WebAppSec/Security_Review_Request) > 1) Who is/are the point of contact(s) for this review? Me. > 2) Please provide a short description of the feature / application (e.g. > problem solved, use cases, etc.): See above. > 3) Please provide links to additional information (e.g. feature page, wiki) > if available and not yet included in feature description: None. > 4) Does this request block another bug? If so, please indicate the bug number No. > 5) This review will be scheduled amongst other requested reviews. What is > the urgency or needed completion date of this review? The Delphi launches in January. (CC Alex for more specific dates.) > 6) To help prioritize this work request, does this project support a goal > specifically listed on this quarter's goal list? If so, which goal? Where can I find this quarter's goal list? (CC Alex for the business case.) > 7) Please answer the following few questions: (Note: If you are asked to > describe anything, 1-2 sentences shall suffice.) > 7a) Does this feature or code change affect Firefox, Thunderbird or any > product or service the Mozilla ships to end users? No. > 7b) Are there any portions of the project that interact with 3rd party > services? No. > 7c) Will your application/service collect user data? If so, please describe It will store their email addresses so it can email them, but part of the point is that those addresses are not supposed to be exposed to other users. (However, doing so is not a disaster of epic proportions; if they are hidden during normal use, that's probably fine.) > 9) Desired Date of review (if known from > https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) > and whom to invite. Do you need the codebase to be complete before the review happens? Bugzilla is a large application; do you want to review patches instead? Gerv
Flags: needinfo?(gerv)
When in January? We have 8 working days before everyone disappears for holidays :) We will do what we can, but can't promise a complete review before the end of December.
Flags: sec-review?(amuntner)
Flags: needinfo?(gerv)
Whiteboard: [triage needed]
Hi Gerv, I'd like to see a running instance up which could be tested. The diff between a specific release of bugzilla and this version in patch form would be great. Also a description of the changes / features, etc, will help me get started faster. I look forward to helping you get it through the review. Thank you Adam
Flags: sec-review?(amuntner) → sec-review+
QA Contact: amuntner
Hi Adam, A running instance is up on the PaaS, and I can certainly supply a diff and a high-level changelog. There's one reasonably large change I want to make before I do, though, which is to add pseudonymity. I'll get back to you as soon as that's done. Gerv
Flags: needinfo?(gerv)
Assignee: nobody → amuntner
Thanks Gerv. Did you go with 4.0.4 or 4.4? The original due date was listed as January, can you an update on the time requirement? If I'm reading you correctly, is the pseudonymity new code and the rest relatively standard?
adamm: hope to have something for you to review in the next week or two :-) The pseudo patch will be new code, albeit upstreamed, plus there's a patch to make it work on a PaaS, plus some customizations. I should be able to provide you with a diff, or even a set of diffs, or even a repo. Not quite sure yet; Bugzilla has just moved to git, and my dev install is on bzr, which complicates things. Gerv
Code is now here: https://github.com/gerv/delphinium . It's based on 4.4. The missing piece is the pseudonymity patch, which is still being developed against trunk in bug 218917. Once that's done, I'll backport it (which is non-trivial) and then we'll be ready for secreview. Gerv
Sounds good, thanks Gerv! Any rough ETA so I can slot it into my queue?
glob: do you know when you are going to next be able to review the email/login split patch? Gerv
Sorry, that should have been a NEEDINFO. Gerv
Flags: needinfo?(glob)
(In reply to Gervase Markham [:gerv] from comment #10) > glob: do you know when you are going to next be able to review the > email/login split patch? i doubt i'll be able to start looking the review for at least a couple of weeks.
Flags: needinfo?(glob)
adamm: Delphinium is now ready for secreview. An installed instance is here: http://delphinium.paas.allizom.org/ The code is here: https://github.com/gerv/delphinium If you look at the commit log, you can see all the commits I made starting November 27th. Those are the changes on top of Bugzilla 4.4.1. The current stable release on that branch is 4.4.2; the changes between 4.4.1 and 4.4.2 are here: http://git.mozilla.org/?p=bugzilla/bugzilla.git;a=log;h=9013622c3861ffa3545e759858d1f7c48d446102 [github] However, none of them have CVE numbers, so I think none of them are security fixes. If it's relevant, BMO currently runs 4.2 with lots of backports. The key changes are: 1) Make Bugzilla work with Stackato, using adapted code from https://github.com/Stackato-Apps/bugzilla 2) Split out the concepts of "login" and "email", permitting people to hide their email addresses, and so permitting pseudonymity. This is bug 218917; I have a patch to Bugzilla trunk up for review there, which is the same as that in this codebase. The other changes are customizations to make Bugzilla simpler by hiding lots of options, and make sure only the right people can change stuff. (If that broke, though, it would not be a security risk.) If you need admin rights on the test instance, create an account and tell me the login name (which will currently be a random string due to the pseudonymity support, although I'd like to improve that to something more readable at some point. That's the only remaining known change, although we may get feedback from our customer asking for UI improvements). Please can you tell us your ETA for this review? We would like to go live with a production instance on April 28th, so we would like to complete secreview by April 21st. (Or sooner, if possible.) Thanks, Gerv
adamm: any ETA on an ETA for the secreview? :-) Gerv
Flags: needinfo?(amuntner)
Gerv, I'm able to start the review now. I just created an account for admin rights: YA69J8mmem and another that I'd like to leave as a normal user, BeeSN0VqkY I'm thinking it should be complete by cob on Wed (eastern us time), next week. Does that work?
Flags: needinfo?(amuntner)
As a normal user, should I be able to add new "issues" ie questions? I can reach this page as user BeeSN0VqkY https://delphinium.paas.allizom.org/enter_bug.cgi?product=Cybersecurity%20Delphi and add a new one to either round 1 or 2.
Exact permissions for certain groups are to be confirmed with the Delphi moderator team; but it'll use Bugzilla groups in the normal way, so I'm confident it won't be a problem. YA69J8mmem is now a Bugzilla admin. That's a bit more than a moderator, but now you can create other accounts with any powers as you need. Gerv
Thanks for the YA69J8mmem user setup. My guess is that normal users who are logging in to answer questions probably shouldn't be able to add questions to the list, at least based on reading about the Delphi Method. Who should we check with?
adamm: I need to confirm how the software will work with the Delphi organizers, who are supposed to be reviewing it now. I'll ping them on Monday. But this change is only flipping permission bits in the Bugzilla UI. I'm sure you have a list of things to check, but I'm particularly hoping you will review the new code and make sure I didn't blow a hole in Bugzilla's security by accident :-) Gerv
Yup. This was just something I noticed while exploring the UI.
I've heard word back that the current config is OK. Gerv
Any news on when you might be done with the secreview? :-) Gerv
:adamm: ping? We hope to have this in production by the end of April... Gerv
Gerv, been working on it. So far, so good. I'll keep you posted.
Currently Active Issues can be viewed without being logged in. Are the issues supposed to be viewed without a valid login?
Other than my previous comment, I'm going to consider the review completed. Let me know and we can close it. Nice work and best of luck with the project! Let me know if I can be of any further assistance.
adamm: there is a setting in Bugzilla called "requirelogin" which means that no-one can see or do anything without a login. Once all the participants have accounts, that switch would be flipped, keeping the Delphi private to the users. At the end of the process, it might be unflipped so the public could read - that's TBD. Thank you for your review :-) It is much appreciated. Gerv
And yes, please do resolve the bug. Gerv
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.