info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
BMO Component for Master Password bugs
53 views
Skip to first unread message
Matthew N.
Jul 14, 2016, 6:50:56 PM7/14/16
to passwords-dev, dev-se...@lists.mozilla.org
Hello,
Bugs related to master password are currently scattered through bugzilla
such as the following components in descending order by bug count (after
ignoring non-fx-desktop products and platform-specific issues):
- Toolkit::Password Manager - 25
- Firefox::Security - 13
- Core::Security: PSM - 7
- Core::Security: UI - 7
- NSS::Libraries - 5
- …
(source: https://mzl.la/29GINuz which is after a mass-closing of many of
them last year)
It's not a huge number of bugs but having them spread around makes it
harder to track and triage them and the components that they end up in. I
specifically would like to move most master password bugs out of
Toolkit::Password Manager since they aren't specific to the password
manager and get in the way of password manager triage as they're currently
around 7% of the pwmgr bugs.
Does anyone want to nominate an existing component as the place to move
master password bugs that aren't consumer-specific? If not, I propose
creating a new component e.g. "Core::Security: Master Password" to move the
bugs to.
Thanks,
MattN
Bugs related to master password are currently scattered through bugzilla
such as the following components in descending order by bug count (after
ignoring non-fx-desktop products and platform-specific issues):
- Toolkit::Password Manager - 25
- Firefox::Security - 13
- Core::Security: PSM - 7
- Core::Security: UI - 7
- NSS::Libraries - 5
- …
(source: https://mzl.la/29GINuz which is after a mass-closing of many of
them last year)
It's not a huge number of bugs but having them spread around makes it
harder to track and triage them and the components that they end up in. I
specifically would like to move most master password bugs out of
Toolkit::Password Manager since they aren't specific to the password
manager and get in the way of password manager triage as they're currently
around 7% of the pwmgr bugs.
Does anyone want to nominate an existing component as the place to move
master password bugs that aren't consumer-specific? If not, I propose
creating a new component e.g. "Core::Security: Master Password" to move the
bugs to.
Thanks,
MattN
Gijs Kruitbosch
Jul 15, 2016, 8:43:18 AM7/15/16
to Matthew N.
On 14/07/2016 23:50, Matthew N. wrote:
> I specifically would like to move most master password bugs out of
> Toolkit::Password Manager since they aren't specific to the password
> manager
I'm a little confused. What other things than password manager do the
> I specifically would like to move most master password bugs out of
> Toolkit::Password Manager since they aren't specific to the password
> manager
master password bugs relate to? Isn't it only used to secure
passwords/logins? In other words, why isn't Toolkit::Password Manager
the correct component?
~ Gijs
Matthew N.
Jul 15, 2016, 5:54:07 PM7/15/16
to Gijs Kruitbosch, passwords-dev, mozilla-de...@lists.mozilla.org
On Fri, Jul 15, 2016 at 5:42 AM, Gijs Kruitbosch <gijskru...@gmail.com>
wrote:
> On 14/07/2016 23:50, Matthew N. wrote:
>
client certificates and possibly extensions.
Two reasons why most of the MP bugs don't belong in the password manager
component:
a) The MP implementation code/UI aren't in the password manager source
directories. I think the implementation is in PSM.
b) The owners of password manager don't own the master password
implementation and therefore the bugs aren't triaged by the same people.
I'm not saying no MP bugs belong in the password manager component but
even ignoring the ones in the password manager component I think it's clear
that the bugs are fragmented between many components.
Matthew
wrote:
> On 14/07/2016 23:50, Matthew N. wrote:
>
>> I specifically would like to move most master password bugs out of
>> Toolkit::Password Manager since they aren't specific to the password
>> manager
>>
>
>> Toolkit::Password Manager since they aren't specific to the password
>> manager
>>
>
> I'm a little confused. What other things than password manager do the
> master password bugs relate to? Isn't it only used to secure
> passwords/logins? In other words, why isn't Toolkit::Password Manager the
> correct component?
The implementation of master password code and UI. It's also used for
> master password bugs relate to? Isn't it only used to secure
> passwords/logins? In other words, why isn't Toolkit::Password Manager the
> correct component?
client certificates and possibly extensions.
Two reasons why most of the MP bugs don't belong in the password manager
component:
a) The MP implementation code/UI aren't in the password manager source
directories. I think the implementation is in PSM.
b) The owners of password manager don't own the master password
implementation and therefore the bugs aren't triaged by the same people.
I'm not saying no MP bugs belong in the password manager component but
even ignoring the ones in the password manager component I think it's clear
that the bugs are fragmented between many components.
Matthew
Justin Dolske
Jul 18, 2016, 5:07:50 PM7/18/16
to passwords-dev, dev-se...@lists.mozilla.org
On 7/14/16 3:50 PM, Matthew N. wrote:
> Does anyone want to nominate an existing component as the place to move
> master password bugs that aren't consumer-specific? If not, I propose
> creating a new component e.g. "Core::Security: Master Password" to move the
> bugs to.
I think the technically correct answer ("the best kind of correct") is
> Does anyone want to nominate an existing component as the place to move
> master password bugs that aren't consumer-specific? If not, I propose
> creating a new component e.g. "Core::Security: Master Password" to move the
> bugs to.
that most MP bugs belong in NSS::Libraries and Core::Security: PSM,
since that's where the actual implementation is. (For those who don't
know: the "master password" is nothing more than a PKCS#11 token PIN.)
But that's pretty non-obvious to anyone not working in the code, and I
don't think having the bugs live there makes them any more likely to be
fixed.
I suggest just keeping Toolkit::PasswordManager as the default place
until such time as we can switch a master password implementation that's
not based on a crufty old token PIN. That's where they're most likely to
get filed/triaged to in the first place, anyway.
This is a small number of not-really-new bugs, so I'm not really sure it
merits its own component, either.
Justin
Justin Dolske
Jul 18, 2016, 5:07:51 PM7/18/16
to passwords-dev, dev-se...@lists.mozilla.org
On 7/14/16 3:50 PM, Matthew N. wrote:
> Does anyone want to nominate an existing component as the place to move
> master password bugs that aren't consumer-specific? If not, I propose
> creating a new component e.g. "Core::Security: Master Password" to move the
> bugs to.
> master password bugs that aren't consumer-specific? If not, I propose
> creating a new component e.g. "Core::Security: Master Password" to move the
> bugs to.
0 new messages