FirefoxOS/New security model/Meetings/2015-09-01 Notes
From MozillaWiki
< FirefoxOS | New security model | Meetings
Contents
Sprint 6, WW7 (Aug 31 - Sep 4)
Time: 2015/9/1 (Tue), 1 pm CST Room: B2G Vidyo
- Agenda:
- Quick status update
- Confirm the design of verification for signed packages (bug 1178518)
- Figure out exactly what is landing this week and what is not
- Review all P1 bugs
- NSec work week: date and place
- (1) 9/28 - 10/2 in Mountain View or San Francisco
- (2) 9/21 - 9/25 in Taipei
- p.s. We (Taipei team) prefer option (1) ok Taipei team
- Action Item
- [Jean] follow up with Wilfred on Pinning the Web for 2.5 (is this a lightweight version)
- Nsec need to register web activity
- [Jean] follow up with Andrew Overholt on whether Service worker for B2G will be in for 2.5
- Andrew confirmed: ship SW for web content on B2G in Gecko 44 which will be 2.5. For desktop we're hoping to ship in Gecko 43
- [Jean] to create mtg placeholder on calendar for 9/28 - 10/2 MTV (last week of milestone 2)
- [Jean/Aaron]to work on logistics and cost..
- [Jean] follow up with Wilfred on Pinning the Web for 2.5 (is this a lightweight version)
- PS: tracking P1s here
Retrospect for Sprint 5 and WW1 of Sprint 6
Henry
- Highlight:
- Bug 1178525 - Already f+ by Valentin. The test case is just added and wait for Valentin's last review. Should be able to land in 2 to 3 days. It also blocks Bug 1178533.
(Waiting for Honza Bambas)
- Bug 1195713 - Already r+. In need of making sure test cases not broken. This bug is important to B2G (but less important on desktop). It's a tiny change so can be landed soon.
(Landed last night)
- Blocker:
- Bug 1186290 - It depends on Bug 1178525. Already has a working prototype based on WIP of Bug 1178525. Could start formal review after Bug 1178525 lands. I don't think we can land this in one week.
- Summary:
- Once Bug 1178525 lands, there would be a developer mode where all the package is considered signed. We only need to have ** ** Bug 1178533 land to let the packaged app have the permission. Stephine is working based on one of my development branch so it shouldn't be a bug issue to merge to Bug 1178525.
Dimi
- Highlight
- Bug 1191647 - Listen to clear-origin-data in ServiceWorkerManager.cpp
- Bug 1189235 - use originAttribute for ServiceWorkerRegistrar
- Action
- Bug 1178526 - Set appropriate origin attributes for signed packages
- Blocker
- None
Jonathan
- Highlight
- Bug 1178518 - Support for verifying signed packages
Implemente the verification Set up a trusted CA root for testing
- Bug 1178448 - Developer/Reviewer tools for creating new signed packages
Made a tool generating packages in NSec format based on Fabrice's tool and the signing tool of trusted hosted app
- Action
- Integrate the verification code with Henry's after Bug 1178525 is landed
- Figure out how to let trusted developers sign their own packages. Currently the tool can only be used by the one who has the private key.
- I'm studying the usage of nss tools certutil. I think developers can send CSR (certificate signing request) to whomever holds the private key to the root and get a signed certificate back, but I'll have to try.
- Blocker
- The verification will have to wait for bug 1178525, and David Keeler
Kanru
- Highlight
- Bug 1170894 - Working basic process switching API (landed \o/)
- Action
- Finish the handling of moving forward/backward between processes
- Blocker
- None
Yoshi
- Highlight
- Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
- To make whole codebase call nsIScriptSecurityManager.createCodebasePrincipal.
- Bug 1165214 - DOMStorageManager should use origin for ScopeKey and QuotaKey
- Coversion from appId/IsInBrowserElement to OriginAttributes
- Honza will continue to finish the database migration part.
- Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo. r+
- Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager
- Action
- Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying appid/browser
- Bobby takes PTO now, ask bz for feedback.
- Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying appid/browser
- Blocker
- None
- https://bugzilla.mozilla.org/show_bug.cgi?id=1163254 ??
- This bug is done by bug 1163256.
Ethan
- Bug 1165267 - Use OriginAttributes for nsCookieService (P1)
- Patches got feedback from Henry and Yoshi.
- TODO: Database schema change and migration.
- TODO: Add APIs in nsICookieManager2.idl, remove/getCookiesForOriginAttributes()
- Should we set meta bugs as blockers?
- For example, 2.5+ bugs of security component: https://goo.gl/CUaqfx
- Bug 1165267 - Use OriginAttributes for nsCookieService (P1)
Pauljt
- plan for service workers?
- plan for updates?
- action: PT to talk to cr re: importing a developer cert
