Security/AppsProject/LightningNightlyPHP

Please use "Edit with form" above to edit this page.

Item Reviewed

Nightly updates PHP script for Lightning
Target	Lightning Nightly/Aurora update server script: https://bugzilla.mozilla.org/show_bug.cgi?id=723273 Part of "Lightning nightly updates": https://bugzilla.mozilla.org/show_bug.cgi?id=322522 Phillipp's actual request, an opsec review? https://bugzilla.mozilla.org/show_bug.cgi?id=733603#c9

{{#set:SecReview name=Nightly updates PHP script for Lightning

|SecReview target=

Lightning Nightly/Aurora update server script:
- https://bugzilla.mozilla.org/show_bug.cgi?id=723273
Part of "Lightning nightly updates":
- https://bugzilla.mozilla.org/show_bug.cgi?id=322522
Phillipp's actual request, an opsec review?
- https://bugzilla.mozilla.org/show_bug.cgi?id=733603#c9

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

We, the Mozilla Calendar Project, would like to provide nightly updates to our users using the addons manager and an update.rdf script, as described here [1]. To do so, I have created a PHP script that serves the right update links based on the current date, the installed build id, the rapid release schedule and a few parameters usually supplied by the addons manager. The script requires no maintenance, as the current goal is to only serve updates for the -central and -aurora channels. Updates on the -beta channel will be served via addons.mozilla.org

The script can be found in bug 723273 will likely be put on the generic cluster and served via https only at <https://calendar.mozilla.org>.

[1] https://developer.mozilla.org/en/Extension_Versioning,_Update_and_Compatibility#Automatic_Add-on_Update_Checking

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

AMO not agile enough for add-ons under active development. AMO is appropriate for Beta and Release versions but not nightly.

Any security threats already considered in the design and why?

`

Threat Brainstorming

' {{#set: SecReview feature goal=We, the Mozilla Calendar Project, would like to provide nightly updates to our users using the addons manager and an update.rdf script, as described here [1]. To do so, I have created a PHP script that serves the right update links based on the current date, the installed build id, the rapid release schedule and a few parameters usually supplied by the addons manager. The script requires no maintenance, as the current goal is to only serve updates for the -central and -aurora channels. Updates on the -beta channel will be served via addons.mozilla.org

The script can be found in bug 723273 will likely be put on the generic cluster and served via https only at <https://calendar.mozilla.org>.

[1] https://developer.mozilla.org/en/Extension_Versioning,_Update_and_Compatibility#Automatic_Add-on_Update_Checking

|SecReview alt solutions=' |SecReview solution chosen=AMO not agile enough for add-ons under active development. AMO is appropriate for Beta and Release versions but not nightly. |SecReview threats considered=' |SecReview threat brainstorming=' }}

Action Items

Action Item Status	None
Release Target	`
Action Items
'

{{#set:|SecReview action item status=None

|Feature version=` |SecReview action items=` }} Note: This was mostly opsec concerns and things were fine on that end.