Re: [webkit-dev] rolling out a buggy security patch
On Ter, 2013-03-12 at 02:26 -0700, Maciej Stachowiak wrote: I am still curious who has access to the commit bot's bugzilla account. Is a small set of known people, is it a large set, is the password sitting around somewhere that others may get at it? I do not recall this being answered at the time, or perhaps I have forgotten. If the set with access is a small set of known people who are willing to be identified and be in the security group themselves (or already are), then I am personally fine with it. I'm a bit late to the party but in my case, the EWS bots I maintain (kov-gtk-ews and kov-ec2-gtk-ews) both have mail accounts to which only I have access. I used to run them using my GNOME email address, which meant they had access to security bugs and processed security patches (since I have access), but I decided to split them to a different account since filtering of bugzilla mails that mattered to me was getting quite complicated. Cheers, -- Gustavo Noronha Silva g...@gnome.org GNOME Project ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] rolling out a buggy security patch
Hi All, https://trac.webkit.org/changeset/145482 which is a security fix, broke 33 JSC tests and made zillion layout test timeout on all platform. (It seems the author forgot to run tests at least on his own platform and watching the bots after landing.) It made bots early exit and very long test runtime. Now bots can't catch any new regression because of this patch. I tried to ping the author and reviewer on #webkit, but they are unavailable. Unfortunately rolling out isn't possible with sheriffbot. And I don't think if I have authorization for rolling out a security fix without review irrespectively of its goodness/buginess. Additionally EWS bots can't test security patches without security group access. And gardeners can't comment the original security bug report because of the same reason. So I filed a new bug report about this serious and blocker regression: https://bugs.webkit.org/show_bug.cgi?id=112112 and I propose that we should roll it out until the author can fix it offline. Could you review this rollout patch, please? Otherwise it would be great if EWS bots can test security patches before committing to avoid similar problems. I noticed that a security fix broke the build and/or many tests several times. br, Ossy ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] rolling out a buggy security patch
Hi, Rollout patch was already r+ -ed, thanks for the quick r+. But my question is still open about how can we avoid similar problems in the future. Why can't we let the EWS bots to build and test security patches before commit. br, Ossy Osztrogonác Csaba írta: https://trac.webkit.org/changeset/145482 which is a security fix, broke 33 JSC tests and made zillion layout test timeout on all platform. (It seems the author forgot to run tests at least on his own platform and watching the bots after landing.) It made bots early exit and very long test runtime. Now bots can't catch any new regression because of this patch. I tried to ping the author and reviewer on #webkit, but they are unavailable. Unfortunately rolling out isn't possible with sheriffbot. And I don't think if I have authorization for rolling out a security fix without review irrespectively of its goodness/buginess. Additionally EWS bots can't test security patches without security group access. And gardeners can't comment the original security bug report because of the same reason. So I filed a new bug report about this serious and blocker regression: https://bugs.webkit.org/show_bug.cgi?id=112112 and I propose that we should roll it out until the author can fix it offline. Could you review this rollout patch, please? Otherwise it would be great if EWS bots can test security patches before committing to avoid similar problems. I noticed that a security fix broke the build and/or many tests several times. ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] rolling out a buggy security patch
It seems like Oliver has already r+ed the patch. I wish we had a better way of dealing with regressions from security bug fixes. In theory, sheriffbot should be able to roll out security bug fixes without having to access the original bug. - R. Niwa On Tue, Mar 12, 2013 at 1:15 AM, Osztrogonác Csaba o...@inf.u-szeged.huwrote: Hi All, https://trac.webkit.org/**changeset/145482https://trac.webkit.org/changeset/145482which is a security fix, broke 33 JSC tests and made zillion layout test timeout on all platform. (It seems the author forgot to run tests at least on his own platform and watching the bots after landing.) It made bots early exit and very long test runtime. Now bots can't catch any new regression because of this patch. I tried to ping the author and reviewer on #webkit, but they are unavailable. Unfortunately rolling out isn't possible with sheriffbot. And I don't think if I have authorization for rolling out a security fix without review irrespectively of its goodness/buginess. Additionally EWS bots can't test security patches without security group access. And gardeners can't comment the original security bug report because of the same reason. So I filed a new bug report about this serious and blocker regression: https://bugs.webkit.org/show_**bug.cgi?id=112112https://bugs.webkit.org/show_bug.cgi?id=112112and I propose that we should roll it out until the author can fix it offline. Could you review this rollout patch, please? Otherwise it would be great if EWS bots can test security patches before committing to avoid similar problems. I noticed that a security fix broke the build and/or many tests several times. br, Ossy __**_ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/**mailman/listinfo/webkit-devhttps://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] rolling out a buggy security patch
On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba o...@inf.u-szeged.hu wrote: But my question is still open about how can we avoid similar problems in the future. Why can't we let the EWS bots to build and test security patches before commit. This topic was discussed on the webkit-security mailing list in May 2010. Unfortunately, the archives of that list are not viewable publicly. Maciej's concerns at the time are summaries in his message below: On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak m...@apple.com wrote: The commit bot is not a person and therefore can't agree to the security group policy, as required for security group membership. If a specific person or persons want to take responsibility for an additional email account and bugzilla account having security access, then that's not categorically excluded. But I'd like to understand who currently has access to the commit bot's email account and bugzilla account, what the policies are for more people getting access, and whether there are indirect ways of getting access such as by modifying the commit bot's code, or by uploading a patch that tries to abuse the EWS testers. And I'd like to see at least one person named to take responsibility for ensuring that the commit bot is not used as a means of violating the policy. Of course, it's entirely possible that his views have changed since then. Adam ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] rolling out a buggy security patch
On Mar 12, 2013, at 1:48 AM, Adam Barth aba...@webkit.org wrote: On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba o...@inf.u-szeged.hu wrote: But my question is still open about how can we avoid similar problems in the future. Why can't we let the EWS bots to build and test security patches before commit. This topic was discussed on the webkit-security mailing list in May 2010. Unfortunately, the archives of that list are not viewable publicly. Maciej's concerns at the time are summaries in his message below: On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak m...@apple.com wrote: The commit bot is not a person and therefore can't agree to the security group policy, as required for security group membership. If a specific person or persons want to take responsibility for an additional email account and bugzilla account having security access, then that's not categorically excluded. But I'd like to understand who currently has access to the commit bot's email account and bugzilla account, what the policies are for more people getting access, and whether there are indirect ways of getting access such as by modifying the commit bot's code, or by uploading a patch that tries to abuse the EWS testers. And I'd like to see at least one person named to take responsibility for ensuring that the commit bot is not used as a means of violating the policy. Of course, it's entirely possible that his views have changed since then. I am still curious who has access to the commit bot's bugzilla account. Is a small set of known people, is it a large set, is the password sitting around somewhere that others may get at it? I do not recall this being answered at the time, or perhaps I have forgotten. If the set with access is a small set of known people who are willing to be identified and be in the security group themselves (or already are), then I am personally fine with it. Regards, Maciej ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] rolling out a buggy security patch
On Tue, Mar 12, 2013 at 2:26 AM, Maciej Stachowiak m...@apple.com wrote: On Mar 12, 2013, at 1:48 AM, Adam Barth aba...@webkit.org wrote: On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba o...@inf.u-szeged.hu wrote: But my question is still open about how can we avoid similar problems in the future. Why can't we let the EWS bots to build and test security patches before commit. This topic was discussed on the webkit-security mailing list in May 2010. Unfortunately, the archives of that list are not viewable publicly. Maciej's concerns at the time are summaries in his message below: On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak m...@apple.com wrote: The commit bot is not a person and therefore can't agree to the security group policy, as required for security group membership. If a specific person or persons want to take responsibility for an additional email account and bugzilla account having security access, then that's not categorically excluded. But I'd like to understand who currently has access to the commit bot's email account and bugzilla account, what the policies are for more people getting access, and whether there are indirect ways of getting access such as by modifying the commit bot's code, or by uploading a patch that tries to abuse the EWS testers. And I'd like to see at least one person named to take responsibility for ensuring that the commit bot is not used as a means of violating the policy. Of course, it's entirely possible that his views have changed since then. I am still curious who has access to the commit bot's bugzilla account. Is a small set of known people, is it a large set, is the password sitting around somewhere that others may get at it? I do not recall this being answered at the time, or perhaps I have forgotten. The approach we've taken is to use different bugzilla accounts for the different bot administrators. The commit-queue, the cr-linux-ews, the style-queue, and sheriffbot share one account (webkit.review.bot@gmail), whereas the queues that Ossy runs use a different account. Approximately eight people have access to the account because they have ssh access to the machines that run those queues. I can send you the list of people, if you're interested, but there are certainly folks on that list who are not members of the WebKit Security Group. In addition to the bugzilla account, we should also consider the set of people who have access to the underlying email address (since the email address can be used to reset the bugzilla password). In the case of webkit.review.bot, I'm the only person who has access to the underlying email account. (That's probably not ideal from a bus-factor point-of-view, however.) If the set with access is a small set of known people who are willing to be identified and be in the security group themselves (or already are), then I am personally fine with it. The set of people who are active maintainers of those machines is smaller than set of people who have access. A good first step would be for me to narrow down the list (and obviously rotate the password). Adam ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] rolling out a buggy security patch
Unfortunately rolling out isn't possible with sheriffbot. And I don't think if I have authorization for rolling out a security fix without review irrespectively of its goodness/buginess. It looks like the necessary review took just under 13 minutes: Comment #1 From Csaba Osztrogonac 2013-03-12 01:04:20 PST (-) [reply] Created an attachment (id=192662) [details] rollout Comment #2 From Oliver Hunt 2013-03-12 01:17:16 PST (-) [reply] (From update of attachment 192662 [details] ) wtf? My bad What problem are we trying to solve here? Geoff ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev