Closed Bug 1296148 Opened 8 years ago Closed 7 years ago

Stop connecting to github.com in tier-1 automation

Categories

(Firefox Build System :: Task Configuration, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gps, Unassigned, Mentored)

References

Details

Dependencies on 3rd party services in Tier-1 Firefox release automation is a big no-no because it increases the surface area of services we rely on to ship Firefox. Plus it introduces non-determinism/reproducibility concerns and MitM attack vectors. GitHub outages and GitHub dropping our traffic (because our traffic patterns resemble DDoS and can take up a lot of bandwidth) have bitten us before. We don't want our Tier-1 release automation hitting github.com. We don't want connectivity issues to github.com preventing us from performing a Firefox chemspill release. It appears our automation still connects to github.com in places. Here are some locations fetching tooltool (which is now vendored in mozilla-central): $ ag build-tooltool taskcluster/ci/legacy/tasks/l10n.yml 49: TOOLTOOL_REPO: 'https://github.com/mozilla/build-tooltool' taskcluster/ci/legacy/tasks/build.yml 31: TOOLTOOL_REPO: 'https://github.com/mozilla/build-tooltool' taskcluster/ci/legacy/tasks/harness_test.yml 56: TOOLTOOL_REPO: 'https://github.com/mozilla/build-tooltool' taskcluster/scripts/builder/build-haz-linux.sh 38:: ${TOOLTOOL_REPO:=https://github.com/mozilla/build-tooltool} taskcluster/scripts/builder/sm-tooltool-config.sh 6:: ${TOOLTOOL_REPO:=https://github.com/mozilla/build-tooltool} taskcluster/scripts/misc/build-cctools.sh 41:wget -O tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py taskcluster/scripts/misc/build-clang-linux.sh 12:wget -O tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py tools/lint/eslint/update 55:wget https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py testing/mozharness/mozharness/mozilla/tooltool.py 15: "https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py" testing/docker/desktop-build/Dockerfile 33:RUN wget -O /builds/tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py testing/docker/android-gradle-build/Dockerfile 27:RUN wget -O /builds/tooltool.py https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py 75:ADD https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py /build/tooltool.py testing/docker/centos6-build/system-setup.sh 283:curl https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py > tooltool.py testing/docker/rust-build/Dockerfile 14:ADD https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py /build/tooltool.py testing/mozbase/mozrunner/mozrunner/devices/android_device.py 27:TOOLTOOL_URL = 'https://raw.githubusercontent.com/mozilla/build-tooltool/master/tooltool.py'
bug 1302767 addresses a lot of this.
Depends on: 1302767
Mentor: dustin
I believe we just made a check as part of upcoming TLS changes at github, and determined that we do not pull from github anymore.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Depends on: 1345972
Product: TaskCluster → Firefox Build System
You need to log in before you can comment on or make changes to this bug.