[Go Faster] [desktop] [system add-ons] Please verify `release-sysaddon` channel updated with system add-ons for 51.* and 52.*

David Keeler dkeeler at mozilla.com
Fri Mar 24 17:00:15 UTC 2017


Oh, in that case, it won't work. It definitely won't work for non-debug
builds, and the security.test.built_in_root_hash pref not persisting
through reboots is a bug, so I don't think there's a way to make that work.

Thanks,
David

On 03/24/2017 01:40 AM, Andrei Vaida wrote:
> Hi David, Cory,
> 
> Sorry for not making this clearer. The reasons why we couldn't follow
> the steps from Bug 1346017 Comment 25 <https://bugzil.la/1346017#c25> in
> combination with installing the system add-on through a forced update
> check are:
> 
>   * we don't have debug builds available for every Firefox
>     version/locale we're covering
>   * we need to unset and reset the security.test.built_in_root_hash pref
>     when restarting, and installing the system add-on through a forced
>     update check involves an additional restart (right after the forced
>     update check)
> 
> Here's a breakdown of the steps we tried and failed to follow/adapt,
> based on Bug 1346017 Comment 25 <https://bugzil.la/1346017#c25>:
> 
>  1. install and start OWASP ZAP (C25 Step 1 <https://bugzil.la/1346017#c25>)
>  2. export its root certificate (C25 Step 2 <https://bugzil.la/1346017#c25>)
>  3. set app.update.channel to release-sysaddon in channel-prefs.js
>  4. start a debug build of Firefox (C25 Step 3
>     <https://bugzil.la/1346017#c25>)
>       * debug builds are _not_ available for all the versions/locales
>         we're trying to cover when validating system add-ons thorugh an
>         update channel
>  5. import the root certificate and trust it for websites/SSL (C25 Step
>     4 <https://bugzil.la/1346017#c25>)
>  6. configure Firefox to use the proxy (C25 Step 5
>     <https://bugzil.la/1346017#c25>)
>  7. in about:config, add a string preference
>     security.test.built_in_root_hash and give it the value of the root
>     certificate's hash (note that you have to unset and reset this
>     preference if you close and reopen Firefox, unfortunately) (C25 Step
>     6 <https://bugzil.la/1346017#c25>)
>  8. in about:config, change the value of the preference
>     security.pki.name_matching_mode to 0 (C25 Step 7
>     <https://bugzil.la/1346017#c25>)
>  9. force an update check on the release-sysaddon update channel
>     (replaces C25 Step 8 <https://bugzil.la/1346017#c25>)
> 10. restart Firefox to install Site Deployment Checker v1.0
>       * the system add-on will _not_ be installed until after restarting
>         the browser
>       * this action affects the way we set up
>         security.test.built_in_root_hash at step 7 and as a result,
>         after the system add-on is installed, we don't see the expected
>         telemetry logs nor the console logs
>       * we also tried using a prefs.js file to force set
>         security.test.built_in_root_hash, but the result was the same
> 
> David, do you still think that by using the
> extensions.update.requireBuiltInCerts or
> extensions.install.requireBuiltInCerts prefs we could bypass this
> behavior? We could give it a try, but as far as I can tell, we'd end up
> with the same issue at the end of our test. Please let me know.
> 
> Thanks,
> Andrei
> 
> ------ Original Message ------
> From: "Cory Price" <cprice at mozilla.com <mailto:cprice at mozilla.com>>
> To: "David Keeler" <dkeeler at mozilla.com <mailto:dkeeler at mozilla.com>>
> Cc: "JC Jones" <jjones at mozilla.com <mailto:jjones at mozilla.com>>; "Andrei
> Vaida" <andrei.vaida at softvisioninc.eu
> <mailto:andrei.vaida at softvisioninc.eu>>; "release-drivers"
> <release-drivers at mozilla.org <mailto:release-drivers at mozilla.org>>;
> gofaster at mozilla.org <mailto:gofaster at mozilla.org>; "Andrei Vaida"
> <avaida at mozilla.com <mailto:avaida at mozilla.com>>;
> cosmin.badescu at softvision.ro <mailto:cosmin.badescu at softvision.ro>
> Sent: 2017-03-24 12:29:56 AM
> Subject: Re: [desktop] [system add-ons] Please verify `release-sysaddon`
> channel updated with system add-ons for 51.* and 52.*
> 
>> Let's wait to see if QA can re-test with David's suggestion, and
>> hopefully deploy tomorrow.
>>
>> On Thu, Mar 23, 2017 at 1:57 PM, David Keeler <dkeeler at mozilla.com
>> <mailto:dkeeler at mozilla.com>> wrote:
>>
>>     Thanks! I believe the unexpected certificate test case didn't work
>>     because the setup involves MITMing the browser, which the add-on
>>     update
>>     code generally rejects. You might be able to get it to work by setting
>>     "extensions.update.requireBuiltInCerts" to false (if that doesn't
>>     work,
>>     maybe try "extensions.install.requireBuiltInCerts"?)
>>
>>     Cheers,
>>     David
>>
>>     On 03/23/2017 01:21 PM, Cory Price wrote:
>>     > Thanks!
>>     >
>>     >> the update.xml file associated to 52.0b# is not displaying this
>>     > add-on, here's an example for 52.0b9-build2-win64-de
>>     >
>>     <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/de/release-sysaddon/default/default/default/update.xml
>>     <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/de/release-sysaddon/default/default/default/update.xml>>
>>     > and another for 52.0b9-build2-mac-en-US
>>     >
>>     <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/en-US/release-sysaddon/default/default/default/update.xml
>>     <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/en-US/release-sysaddon/default/default/default/update.xml>>
>>     >
>>     > The actual update requests in the wild don't include the "b" part in the
>>     > URL. This has come up a couple other times before
>>     > (https://mail.mozilla.org/pipermail/gofaster/2017-February/000556.html
>>     <https://mail.mozilla.org/pipermail/gofaster/2017-February/000556.html>
>>     >
>>     <https://mail.mozilla.org/pipermail/gofaster/2017-February/000556.html
>>     <https://mail.mozilla.org/pipermail/gofaster/2017-February/000556.html>>
>>     > &
>>     https://mail.mozilla.org/pipermail/gofaster/2017-February/000568.html
>>     <https://mail.mozilla.org/pipermail/gofaster/2017-February/000568.html>
>>     >
>>     <https://mail.mozilla.org/pipermail/gofaster/2017-February/000568.html
>>     <https://mail.mozilla.org/pipermail/gofaster/2017-February/000568.html>>).
>>     >
>>     > Seems like we are okay to release *deployment-checker* to 52.*. I'll
>>     > keep my eye out on the progress of e10srollout.
>>     >
>>     >
>>     >
>>     > On Thu, Mar 23, 2017 at 9:28 AM, Andrei Vaida
>>     > <andrei.vaida at softvisioninc.eu
>>     <mailto:andrei.vaida at softvisioninc.eu>
>>     <mailto:andrei.vaida at softvisioninc.eu
>>     <mailto:andrei.vaida at softvisioninc.eu>>>
>>     > wrote:
>>     >
>>     >     __
>>     >     Hi Cory,
>>     >
>>     >     *Site Deployment Checker v1.0*
>>     >     We finished testing *deployment-checker1.0* (1346017
>>     >     <https://bugzil.la/1346017>) system add-on on the
>>     release-sysaddon
>>     >     channel and things are overall looking good, with one exception:
>>     >
>>     >       * the update.xml file associated to 52.0b# is not
>>     displaying this
>>     >         add-on, here's an example for 52.0b9-build2-win64-de
>>     >       
>>      <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/de/release-sysaddon/default/default/default/update.xml
>>     <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/de/release-sysaddon/default/default/default/update.xml>>
>>     >         and another for 52.0b9-build2-mac-en-US
>>     >       
>>      <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/en-US/release-sysaddon/default/default/default/update.xml
>>     <https://aus5.mozilla.org/update/3/SystemAddons/52.0b9/20170223185858/default/en-US/release-sysaddon/default/default/default/update.xml>>
>>     >
>>     >     _⚠ Please note_ that we could NOT test the way this system
>>     add-on
>>     >     actually works using the update channel. David's instructions
>>     >     from 1346017 Comment 25
>>     >     <https://bugzilla.mozilla.org/show_bug.cgi?id=1346017#c25
>>     <https://bugzilla.mozilla.org/show_bug.cgi?id=1346017#c25>> only work
>>     >     if you're installing the add-on using the *.xpi file directly -- we
>>     >     did this instead for a couple of builds (i.e. 52.0.1-build2) and our
>>     >     tests passed (telemetry and browser console logs were identical with
>>     >     Justin's results).
>>     >
>>     >     Detailed test results for the deployment-checker1.0 system add-on
>>     >     are available in this etherpad
>>     >     <https://public.etherpad-mozilla.org/p/1346017
>>     <https://public.etherpad-mozilla.org/p/1346017>>.
>>     >
>>     >     *Multi-process staged rollout v1.12*
>>     >     The Add-ons QA Team is currently testing e10srollout1.12 (1344345
>>     >     <https://bugzil.la/1344345>) on the release-sysaddon
>>     channel, but
>>     >     according to 1344345 Comment 13 <https://bugzil.la/1344345#c13>,
>>     >     there are currently two issues occurring while following Felipe's
>>     >     instructions from 1344345 Comment 10
>>     <https://bugzil.la/1344345#c10>:
>>     >
>>     >       * according to step 3, installing an mpc=true add-on such as
>>     >         Adblock Plus or Youtube Best Video Downloader 2 should NOT
>>     >         disable e10s -- currently, on both 51.* and 52.* e10s is in fact
>>     >         disabled by installing any add-on
>>     >       * according to step 6, installing the system add-on via
>>     attached
>>     >         *.xpi file should disable e10s -- currently, on both 51.* and
>>     >         52.* e10s is NOT disabled, despite restarting several times
>>     >         after install
>>     >
>>     >     Adding Cosmin Badescu to this thread, as he's in charge of signing
>>     >     off e10srollout1.12. Detailed test results for the e10srollout1.12
>>     >     system add-on are currently being tracked in this etherpad
>>     >     <https://public.etherpad-mozilla.org/p/1344345
>>     <https://public.etherpad-mozilla.org/p/1344345>>.
>>     >
>>     >     Thank you,
>>     >     Andrei (:avaida)
>>     >     Desktop Release QA
>>     >
>>     >
>>     >     ------ Original Message ------
>>     >     From: "Cory Price" <cprice at mozilla.com
>>     <mailto:cprice at mozilla.com> <mailto:cprice at mozilla.com
>>     <mailto:cprice at mozilla.com>>>
>>     >     To: "release-drivers" <release-drivers at mozilla.org
>>     <mailto:release-drivers at mozilla.org>
>>     >     <mailto:release-drivers at mozilla.org
>>     <mailto:release-drivers at mozilla.org>>>; gofaster at mozilla.org
>>     <mailto:gofaster at mozilla.org>
>>     >     <mailto:gofaster at mozilla.org <mailto:gofaster at mozilla.org>>;
>>     "Andrei Vaida" <avaida at mozilla.com <mailto:avaida at mozilla.com>
>>     >     <mailto:avaida at mozilla.com <mailto:avaida at mozilla.com>>>
>>     >     Cc: "JC Jones" <jjones at mozilla.com
>>     <mailto:jjones at mozilla.com> <mailto:jjones at mozilla.com
>>     <mailto:jjones at mozilla.com>>>;
>>     >     "David Keeler" <dkeeler at mozilla.com
>>     <mailto:dkeeler at mozilla.com> <mailto:dkeeler at mozilla.com
>>     <mailto:dkeeler at mozilla.com>>>
>>     >     Sent: 22.03.2017 9:46:01 PM
>>     >     Subject: [desktop] [system add-ons] Please verify
>>     `release-sysaddon`
>>     >     channel updated with system add-ons for 51.* and 52.*
>>     >
>>     >>     The release-sysaddon channel has been updated as follows and is
>>     >>     ready for testing.
>>     >>
>>     >>     The rule shipping to 51.* has been updated to ship
>>     >>     e10srollout1.12. The add-ons packaged for 51 are now:
>>     >>
>>     >>     Note: QA was pinged to bug 1344345, but it hasn't received QA
>>     >>     verification yet in the bug.
>>     >>
>>     >>     - e10srollout1.12 (bug 1344345)
>>     >>     - disableSHA1rollout1.3 (bug 1339662)
>>     >>     - diagnostics1.0 (bug 1307568)
>>     >>     - hsts-priming1.0 (bug 1335224)
>>     >>
>>     >>     A new rule for 52.* has been created, the add-ons shipping
>>     to 52.*
>>     >>     are:
>>     >>
>>     >>     - e10srollout1.12 (bug 1344345)
>>     >>     - deployment-checker1.0 (bug 1346017)
>>     >>
>>     >>     Per the deployment process[0], Andrei, can you please
>>     verify that
>>     >>     the test channel is serving the appropriate add-ons?
>>     >>
>>     >>     These add-ons (and past deployments) can be found in the System
>>     >>     add-on deployment matrix[1].
>>     >>
>>     >>     Thanks
>>     >>
>>     >>     [0]
>>     >>   
>>      https://wiki.mozilla.org/Firefox/Go_Faster/System_Add-ons/Process#Verification_of_Test_Channel
>>     <https://wiki.mozilla.org/Firefox/Go_Faster/System_Add-ons/Process#Verification_of_Test_Channel>
>>     >>   
>>      <https://wiki.mozilla.org/Firefox/Go_Faster/System_Add-ons/Process#Verification_of_Test_Channel
>>     <https://wiki.mozilla.org/Firefox/Go_Faster/System_Add-ons/Process#Verification_of_Test_Channel>>
>>     >>     [1]
>>     >>   
>>      https://docs.google.com/spreadsheets/d/1yOgiOTU8q2I709VFhjCYCLATmoyQueV8RttPzciFIkQ/edit#gid=0
>>     <https://docs.google.com/spreadsheets/d/1yOgiOTU8q2I709VFhjCYCLATmoyQueV8RttPzciFIkQ/edit#gid=0>
>>     >>   
>>      <https://docs.google.com/spreadsheets/d/1yOgiOTU8q2I709VFhjCYCLATmoyQueV8RttPzciFIkQ/edit#gid=0
>>     <https://docs.google.com/spreadsheets/d/1yOgiOTU8q2I709VFhjCYCLATmoyQueV8RttPzciFIkQ/edit#gid=0>>
>>     >>
>>     >>     --
>>     >>     Cory Price
>>     >>     /ckprice
>>     >
>>     >
>>     >
>>     >
>>     > --
>>     > Cory Price
>>     > /ckprice
>>
>>
>>
>>
>> -- 
>> Cory Price
>> /ckprice

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/gofaster/attachments/20170324/c16f4fd5/attachment.sig>


More information about the Gofaster mailing list