[webkit-dev] rolling out a buggy security patch

Tue Mar 12 03:05:31 PDT 2013

On Tue, Mar 12, 2013 at 2:26 AM, Maciej Stachowiak <mjs at apple.com> wrote:

>
> On Mar 12, 2013, at 1:48 AM, Adam Barth <abarth at webkit.org> wrote:
>
> On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba <oszi at inf.u-szeged.hu>
> wrote:
>
> But my question is still open about how can we avoid similar
> problems in the future. Why can't we let the EWS bots to
> build and test security patches before commit.
>
>
> This topic was discussed on the webkit-security mailing list in May
> 2010.  Unfortunately, the archives of that list are not viewable
> publicly.  Maciej's concerns at the time are summaries in his message
> below:
>
> On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak <mjs at apple.com> wrote:
>
> The commit bot is not a person and therefore can't agree to the security
> group policy, as required for security group membership.
>
> If a specific person or persons want to take responsibility for an
> additional email account and bugzilla account having security access, then
> that's not categorically excluded. But I'd like to understand who currently
> has access to the commit bot's email account and bugzilla account, what the
> policies are for more people getting access, and whether there are indirect
> ways of getting access such as by modifying the commit bot's code, or by
> uploading a patch that tries to abuse the EWS testers. And I'd like to see
> at least one person named to take responsibility for ensuring that the
> commit bot is not used as a means of violating the policy.
>
>
> Of course, it's entirely possible that his views have changed since then.
>
>
> I am still curious who has access to the commit bot's bugzilla account. Is
> a small set of known people, is it a large set, is the password sitting
> around somewhere that others may get at it? I do not recall this being
> answered at the time, or perhaps I have forgotten.
>

The approach we've taken is to use different bugzilla accounts for the
different bot administrators.  The commit-queue, the cr-linux-ews, the
style-queue, and sheriffbot share one account (webkit.review.bot at gmail),
whereas the queues that Ossy runs use a different account.

Approximately eight people have access to the account because they have ssh
access to the machines that run those queues.  I can send you the list of
people, if you're interested, but there are certainly folks on that list
who are not members of the WebKit Security Group.

In addition to the bugzilla account, we should also consider the set of
people who have access to the underlying email address (since the email
address can be used to reset the bugzilla password).  In the case of
webkit.review.bot, I'm the only person who has access to the underlying
email account.  (That's probably not ideal from a bus-factor point-of-view,
however.)

If the set with access is a small set of known people who are willing to be
> identified and be in the security group themselves (or already are), then I
> am personally fine with it.
>

The set of people who are active maintainers of those machines is smaller
than set of people who have access.  A good first step would be for me to
narrow down the list (and obviously rotate the password).

Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130312/0021a0f1/attachment.html>