Can we sign our nightly builds?

[Gervase Markham]

Dear dev.planning,

https://bugzilla.mozilla.org/show_bug.cgi?id=663055

Internet Explorer 9 ships a technology called SmartScreen which assigns
reputation to downloaded executables based on either a) their code
signing certificate or b) the file hash:
http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

Having a low reputation score means IE throws a warning when you try and
download the file, which says:
"This file is not commonly downloaded and may harm your computer."
and does its best to stop you from running it anyway.

I was approached by a Microsoft engineer from this team at a conference
who said that he didn't _want_ IE to throw up scary warnings for people
downloading Firefox and Thunderbird nightlies, but as we don't sign our
nightlies, it makes it very hard to avoid it. Each one is a new file
with a new hash, and starts with zero reputation.

I asked him to file a bug about it (knowing this might be politically
difficult for him) and was slightly surprised and very pleased when he
did: https://bugzilla.mozilla.org/show_bug.cgi?id=663055 .

However, bhearsum rapidly resolved it as WONTFIX, said that this was a
conscious decision, and that to get it changed, we needed to have a
discussion here.

Why don't we sign our nightlies, what would it take to get us to do so,
and do we care that IE tells everyone they might be dangerous?

Gerv

[Ben Hearsum]

On 06/09/11 08:35 AM, Gervase Markham wrote:

> Why don't we sign our nightlies, what would it take to get us to do so,
> and do we care that IE tells everyone they might be dangerous?

Part of it is technical: We (currently) have no way to automatically
sign builds, which makes signing anything on a nightly basis
prohibitively time consuming. There's some work underway to fixing this
(https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's
fixed, there'd be no technical reason why we couldn't.

[Ron Hunter]

In one sense, it may be a good thing for IE to throw this kind of
warning. Users who know anything about FF will see this as a nasty dig
at FF from MS. Kind of reverse psychology.

[Patrick Finch]

If people don't have an intimate knowledge of nightly builds, shouldn't
they be on Aurora or Beta (or stable?).

I'd say nightlies are for people actively involved in the project, given
our new channels -this partially mitigates for Firefox, but not Thunderbird.

Patrick

> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning

--
Patrick Finch
Mozilla
pat...@mozilla.com
Mobile: +46 768 444 833
Office: +1 650 903 0800 ext. 340
Twitter: @patrickf
IM: patric...@gmail.com

[Ben Hearsum]

On 06/09/11 08:45 AM, Patrick Finch wrote:
> If people don't have an intimate knowledge of nightly builds, shouldn't
> they be on Aurora or Beta (or stable?).

Aurora builds aren't signed, either, as they're simply nightlies from a
different branch.

[Ben Hearsum]

On 06/09/11 08:45 AM, Patrick Finch wrote:

> If people don't have an intimate knowledge of nightly builds, shouldn't
> they be on Aurora or Beta (or stable?).

Aurora builds aren't signed, either, as they're simply nightlies from a
different branch.

[Henri Sivonen]

Looks more like the other bug should depend on this one instead of being
WONTFIXed. I'm a bit troubled that bugs about making it easier for
people to run test builds get WONTFIXed so easily.

Another bug in this general area
(https://bugzilla.mozilla.org/show_bug.cgi?id=655667) was INCOMPLETEd.
Should I bring it up here or email to a driver address in order to try
to get it reopened?

--
Henri Sivonen
hsiv...@iki.fi
http://hsivonen.iki.fi/

[Ben Hearsum]

On 06/09/11 09:43 AM, Henri Sivonen wrote:
> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote:
>> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>
>>> Why don't we sign our nightlies, what would it take to get us to do so,
>>> and do we care that IE tells everyone they might be dangerous?
>>
>> Part of it is technical: We (currently) have no way to automatically
>> sign builds, which makes signing anything on a nightly basis
>> prohibitively time consuming. There's some work underway to fixing this
>> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's
>> fixed, there'd be no technical reason why we couldn't.
>
> Looks more like the other bug should depend on this one instead of being
> WONTFIXed. I'm a bit troubled that bugs about making it easier for
> people to run test builds get WONTFIXed so easily.

If we come to the consensus that we *want* to sign our nightly builds, sure.

> Another bug in this general area
> (https://bugzilla.mozilla.org/show_bug.cgi?id=655667) was INCOMPLETEd.
> Should I bring it up here or email to a driver address in order to try
> to get it reopened?

I don't see how this bug is related in any way.

[Ben Hearsum]

On 06/09/11 09:43 AM, Henri Sivonen wrote:

> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote:
>> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>
>>> Why don't we sign our nightlies, what would it take to get us to do so,
>>> and do we care that IE tells everyone they might be dangerous?
>>
>> Part of it is technical: We (currently) have no way to automatically
>> sign builds, which makes signing anything on a nightly basis
>> prohibitively time consuming. There's some work underway to fixing this
>> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's
>> fixed, there'd be no technical reason why we couldn't.
>
> Looks more like the other bug should depend on this one instead of being
> WONTFIXed. I'm a bit troubled that bugs about making it easier for
> people to run test builds get WONTFIXed so easily.

If we come to the consensus that we *want* to sign our nightly builds, sure.

> Another bug in this general area

> (https://bugzilla.mozilla.org/show_bug.cgi?id=655667) was INCOMPLETEd.
> Should I bring it up here or email to a driver address in order to try
> to get it reopened?

I don't see how this bug is related in any way.

[Kevin Dangoor]

On Thu, Jun 9, 2011 at 9:43 AM, Henri Sivonen <hsiv...@iki.fi> wrote:

> Another bug in this general area
> (https://bugzilla.mozilla.org/show_bug.cgi?id=655667) was INCOMPLETEd.
> Should I bring it up here or email to a driver address in order to try
> to get it reopened?
>

FWIW, I agree with Benjamin there that this bug should be a feature page and
not just a bug. At the moment, I just have the Profile Manager come up every
time I run Firefox, but that's suboptimal so I agree with you that doing
*something* there would be good. But, Benjamin's point is that the change
there is not necessarily obvious because different people will have
different expectations and desires.

There may be some overlap between the feature you're looking for and this
one:

https://wiki.mozilla.org/Ability_to_run_concurrent_channels

Kevin

--
Kevin Dangoor

work: http://mozilla.com/
email: kdan...@mozilla.com <k...@blazingthings.com>
blog: http://www.BlueSkyOnMars.com

[Johnathan Nightingale]

On 2011-06-09, at 9:47 AM, Ben Hearsum wrote:
> On 06/09/11 09:43 AM, Henri Sivonen wrote:
>> On Thu, 2011-06-09 at 08:42 -0400, Ben Hearsum wrote:
>>> On 06/09/11 08:35 AM, Gervase Markham wrote:
>>>
>>>> Why don't we sign our nightlies, what would it take to get us to do so,
>>>> and do we care that IE tells everyone they might be dangerous?
>>>
>>> Part of it is technical: We (currently) have no way to automatically
>>> sign builds, which makes signing anything on a nightly basis
>>> prohibitively time consuming. There's some work underway to fixing this
>>> (https://bugzilla.mozilla.org/show_bug.cgi?id=509158). Once that's
>>> fixed, there'd be no technical reason why we couldn't.
>>
>> Looks more like the other bug should depend on this one instead of being
>> WONTFIXed. I'm a bit troubled that bugs about making it easier for
>> people to run test builds get WONTFIXed so easily.
>
> If we come to the consensus that we *want* to sign our nightly builds, sure.

Modulo the work in bug 509158 that you mention above, are there other concerns you have or are aware of that would keep us from wanting to do so?

J

---
Johnathan Nightingale
Director of Firefox Engineering
joh...@mozilla.com

[Ben Hearsum]

I'm not aware of any. I don't think it's a discussion we've ever had
until now, though!

[Ben Hearsum]

On 06/09/11 10:06 AM, Johnathan Nightingale wrote:

I'm not aware of any. I don't think it's a discussion we've ever had
until now, though!

[John Wilcock]

What's the other part?

Are there any specific reasons why would you *not* want to sign them,
assuming you had the technical capability of doing so?

--
John

[Lukas Blakk]

I would say the other part is finding the cycles for someone to do the
work. So if part I is technical, part II is human resources.

[Lukas Blakk]

On 11-06-09 4:18 PM, John Wilcock wrote:

and part III is that this conversation needed to happen in a large group
(or long email thread) to determine the priority something like this
should have.

[Mike Shaver]

I have some concerns.

What does it mean to have a binary signed by Mozilla's code key? Do we want
to stamp the nightlies with the same level of endorsement? Do we want to
sign unbranded builds?

What are our current key-management practices for the signing key, and how
would they need to change in order to accommodate hands-off signing? Does
putting something in the right directory on an internet-connected host get
it signed? If we use a different key, how is it different from the user's
perspective?

I also have some prioritization concerns.

Given that this characteristic of IE9 only affects the initial download and
not subsequent nightlies, I think I would prioritize it below
signing our *release* binaries on Mac. Because of non-SSL intermediaries and
third-party mirrors, there's basically no way for someone to tell if they
got the right bits.

There are lots of things many of us could do to improve the "test a nightly"
experience, though typically we just insist that it be someone else's top
priority when it's not our own. I agree that they're not really germane to
the primary topic of this thread.

If we're going to do work on the signing mechanism, though, I think we
should be very careful about what it means to be "signed with mozilla's
key", and I think that the complete lack of Mac signing should be a higher
priority.

Mike
On Jun 9, 2011 10:06 AM, "Johnathan Nightingale" <joh...@mozilla.com>
wrote:

[Johnathan Nightingale]

On 2011-06-09, at 1:00 PM, Mike Shaver wrote:
> If we're going to do work on the signing mechanism, though, I think we should be very careful about what it means to be "signed with mozilla's key", and I think that the complete lack of Mac signing should be a higher priority.
>

In case I have seemed to suggest otherwise by asking questions earlier, I wanted to say that I agree wholeheartedly with both of these. I think the priority of any work here is low, well below the Mac release signing piece as well as several other things I know releng to be working on. I can well imagine that we could come up with answers to satisfy Shaver's other (important, and hard!) questions here, and still not find the effect to be worth the costs.

[Asa Dotzler]

In the meantime I'm going to reopen the bug, set the dependency
properly, note that it hasn't yet been fully evaluated, and point to
this thread.

- A

[James May]

I'd just like to point out that the lack of signedness rears its ugly
head each time nightly updates itself in the form of an orange UAC
prompt.

I would also expect that any new improved non-admin updater that might
be in the pipeline would check signatures.

On 10 June 2011 03:00, Mike Shaver <mike....@gmail.com> wrote:
> I have some concerns.
>
> What does it mean to have a binary signed by Mozilla's code key?  Do we want
> to stamp the nightlies with the same level of endorsement? Do we want to
> sign unbranded builds?
>
> What are our current key-management practices for the signing key, and how
> would they need to change in order to accommodate hands-off signing?  Does
> putting something in the right directory on an internet-connected host get
> it signed?  If we use a different key, how is it different from the user's
> perspective?
>
> I also have some prioritization concerns.
>
> Given that this characteristic of IE9 only affects the initial download and
> not subsequent nightlies, I think I would prioritize it below
> signing our *release* binaries on Mac. Because of non-SSL intermediaries and
> third-party mirrors, there's basically no way for someone to tell if they
> got the right bits.
>
> There are lots of things many of us could do to improve the "test a nightly"
> experience, though typically we just insist that it be someone else's top
> priority when it's not our own. I agree that they're not really germane to
> the primary topic of this thread.
>

> If we're going to do work on the signing mechanism, though, I think we
> should be very careful about what it means to be "signed with mozilla's
> key", and I think that the complete lack of Mac signing should be a higher
> priority.
>

> Mike
>  On Jun 9, 2011 10:06 AM, "Johnathan Nightingale" <joh...@mozilla.com>
> wrote:

> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning
>

--
James May

[Robert Strong]

On 6/9/2011 2:14 PM, James May wrote:
> I'd just like to point out that the lack of signedness rears its ugly
> head each time nightly updates itself in the form of an orange UAC
> prompt.
>
> I would also expect that any new improved non-admin updater that might
> be in the pipeline would check signatures.

Possibly but not necessarily. For the updater to patch a file it can't
be modified so the signature must be intact and when the updater
replaces a file it will be intact.

--
Cheers,
Robert Strong

[Gervase Markham]

On 09/06/11 18:00, Mike Shaver wrote:
> I have some concerns.
>
> What does it mean to have a binary signed by Mozilla's code key?

I would say: "This software comes from Mozilla".

This is the debate (also to be had in the realm of SSL certificates) as
to whether signing means "this website/code is bound to a certain
identity" or "this website/code is nice, happy, pretty and full of cute
kittens".

I am in favour of the former interpretation (given that implementing the
latter is near-impossible), which leads me to advocate code-signing for
anything we release.

Keeping builds away from people who shouldn't be running them is a task
not to be achieved with IE warning boxes.

> What are our current key-management practices for the signing key, and how
> would they need to change in order to accommodate hands-off signing? Does
> putting something in the right directory on an internet-connected host get
> it signed? If we use a different key, how is it different from the user's
> perspective?

Good questions.

> I also have some prioritization concerns.
>
> Given that this characteristic of IE9 only affects the initial download and
> not subsequent nightlies,

You mean because they are updated using Firefox's auto-updater? If so,
then yes. But every nightly download downloaded using IE will have this
problem.

Gerv

[Jean-Marc Desperrier]

Gervase Markham wrote:
> On 09/06/11 18:00, Mike Shaver wrote:
>> > I have some concerns.
>> >
>> > What does it mean to have a binary signed by Mozilla's code key?
> I would say: "This software comes from Mozilla".
>
> This is the debate (also to be had in the realm of SSL certificates) as
> to whether signing means "this website/code is bound to a certain
> identity" or "this website/code is nice, happy, pretty and full of cute
> kittens".
>
> I am in favour of the former interpretation (given that implementing the
> latter is near-impossible), which leads me to advocate code-signing for
> anything we release.
>
> Keeping builds away from people who shouldn't be running them is a task
> not to be achieved with IE warning boxes.

I think a middle solution would be to sign the nightlies with a
dedicated certificate whose name hints that that software received no QA
and can fail badly.