Security/Reviews/Firefox/Add-on hotfix

From MozillaWiki
< Security‎ | Reviews
Revision as of 19:17, 21 November 2011 by Clegnitto (talk | contribs) (Created page with "== Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time]== * Feature Page: [https://wiki.mozilla.org/Features/Desktop/Add-on_hotfix Add-on hotfix]...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time]

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • Provide a low-touch way to update Firefox users in the field without a "full" software update
  • The add-on would hopefully replace the need for #.0.1 releases and we'd be able to respond to security issues even more quickly

What solutions/approaches were considered other than the proposed solution?

  • Different update snippets / mars
  • "Special" kind of add-on
  • One-off system to download a .tgz from mozilla.org

Why was this solution chosen?

  • Minimal code changes
  • Using sec-reviewed systems and code
    • AMO
    • Add-on manager
    • Add-on system

Any security threats already considered in the design and why?=

  • Users can disable the add-on, 'perhaps delaying security fixes
    • This concern is no different than normal updates

Threat Brainstorming (30-40 minutes)

Conclusions / Action Items (10-20 minutes)

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/Firefox/Add-on_hotfix&oldid=371795"