Obtaining security reviews for new features or significant changes to existing code (was: Re: Intent to Implement System Add-on: SHIELD/Normandy)

Gijs Kruitbosch gijskruitbosch at gmail.com
Sat Oct 1 18:33:42 UTC 2016 

-relman,gofaster,mgrimes
+Selena

On 01/10/2016 00:48, J. Ryan Stinnett wrote:
>
> On Fri, Sep 30, 2016 at 8:41 AM, Gijs Kruitbosch 
> <gijskruitbosch at gmail.com <mailto:gijskruitbosch at gmail.com>> wrote:
>
>     In this specific case, it sounds like you're already talking to
>     the security team. They would be the best people to judge if you
>     (still) need a formal security review to happen on the code you're
>     landing. If you haven't talked to them about this, now would be a
>     good time. For other projects, a quick web search gets me:
>     https://wiki.mozilla.org/Security#Request_a_Security_or_Privacy_Review
>     <https://wiki.mozilla.org/Security#Request_a_Security_or_Privacy_Review>
>     which seems fairly straightforward to me.
>
>
> I suppose this is the wrong venue for this rabbit hole,
I think fx-dev is a fine venue as far as desktop product security is 
concerned. I've taken us out of the earlier thread, though.
> but I've had a hard time contacting the security team in the past, so 
> I am not sure what the right venue is. The wiki page above links to a 
> security review request form that says "This process not currently in 
> use, maintaining for historical purposes".
>
> Is there a description of the correct process for requesting security 
> review somewhere? I've received a lot of mixed signals about this 
> process in the past, so having the right answer would be great!

I hadn't noticed that. And you're right, it would be good if the 
wikipage was up-to-date (or redirected to somewhere up-to-date) and 
process here was clearer (more than "ask around to find the right person").

Selena, AFAICT from phonebook you should be a good person to ask (please 
forward as necessary if I missed something) - can you help elucidate 
what would be the most current process here as far as 
gecko/desktop/mobile stuff (rather than web/ops) is concerned?

Thanks,
Gijs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20161001/505ddb5d/attachment.html>

More information about the firefox-dev mailing list