BMO Component for Master Password bugs

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BMO Component for Master Password bugs

Matthew N.
Hello,

Bugs related to master password are currently scattered through bugzilla
such as the following components in descending order by bug count (after
ignoring non-fx-desktop products and platform-specific issues):

   - Toolkit::Password Manager - 25
   - Firefox::Security - 13
   - Core::Security: PSM - 7
   - Core::Security: UI - 7
   - NSS::Libraries - 5
   - …

(source: https://mzl.la/29GINuz which is after a mass-closing of many of
them last year)

It's not a huge number of bugs but having them spread around makes it
harder to track and triage them and the components that they end up in. I
specifically would like to move most master password bugs out of
Toolkit::Password Manager since they aren't specific to the password
manager and get in the way of password manager triage as they're currently
around 7% of the pwmgr bugs.

Does anyone want to nominate an existing component as the place to move
master password bugs that aren't consumer-specific? If not, I propose
creating a new component e.g. "Core::Security: Master Password" to move the
bugs to.

Thanks,
MattN
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BMO Component for Master Password bugs

Gijs Kruitbosch ("Hannibal")
On 14/07/2016 23:50, Matthew N. wrote:
> I specifically would like to move most master password bugs out of
> Toolkit::Password Manager since they aren't specific to the password
> manager

I'm a little confused. What other things than password manager do the
master password bugs relate to? Isn't it only used to secure
passwords/logins? In other words, why isn't Toolkit::Password Manager
the correct component?

~ Gijs

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BMO Component for Master Password bugs

Matthew N.
On Fri, Jul 15, 2016 at 5:42 AM, Gijs Kruitbosch <[hidden email]>
wrote:

> On 14/07/2016 23:50, Matthew N. wrote:
>
>> I specifically would like to move most master password bugs out of
>> Toolkit::Password Manager since they aren't specific to the password
>> manager
>>
>
> I'm a little confused. What other things than password manager do the
> master password bugs relate to? Isn't it only used to secure
> passwords/logins? In other words, why isn't Toolkit::Password Manager the
> correct component?


​The implementation of master password code and UI. It's also used for
client certificates and possibly extensions.​

Two reasons why most of the MP bugs don't belong in the password manager
component:
a) The MP implementation code/UI aren't in the password manager source
directories. I think the implementation is in PSM.
b) The owners of password manager don't own the master password
implementation and therefore the bugs aren't triaged by the same people.

​I'm not saying no MP bugs belong in the password manager component but
even ignoring the ones in the password manager component I think it's clear
that the bugs are fragmented between many components.

Matthew
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BMO Component for Master Password bugs

Justin Dolske-2
In reply to this post by Matthew N.
On 7/14/16 3:50 PM, Matthew N. wrote:

> Does anyone want to nominate an existing component as the place to move
> master password bugs that aren't consumer-specific? If not, I propose
> creating a new component e.g. "Core::Security: Master Password" to move the
> bugs to.

I think the technically correct answer ("the best kind of correct") is
that most MP bugs belong in NSS::Libraries and Core::Security: PSM,
since that's where the actual implementation is. (For those who don't
know: the "master password" is nothing more than a PKCS#11 token PIN.)

But that's pretty non-obvious to anyone not working in the code, and I
don't think having the bugs live there makes them any more likely to be
fixed.

I suggest just keeping Toolkit::PasswordManager as the default place
until such time as we can switch a master password implementation that's
not based on a crufty old token PIN. That's where they're most likely to
get filed/triaged to in the first place, anyway.

This is a small number of not-really-new bugs, so I'm not really sure it
merits its own component, either.

Justin
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Loading...