Plugins:PluginDirectory:2010-03-26

From MozillaWiki
Revision as of 23:06, 25 March 2010 by LesOrchard (talk | contribs) (→‎Les)
Jump to navigation Jump to search

Agenda

Scheduling:

  • Does the week of the 12th give us enough time to complete the everything we need for launch?
    • Les: Probably not, and is this absolutely everything we need for launch? Honestly, I'd like to be pessimistic about the launch date rather than rush anything - especially since this is a security-driven project. Probably better to think in terms of a mid-to-late Q2 goal than a mid-April goal.
  • Will all parties involved be able to prioritize this project accordingly in order to get this all done for that date?
    • Les: I've been mostly heads down on another project for the last weeks, but hopefully can come up for air in the next week. I expect distractions ahead, though.

Web Dev

  • Best Security Practices:
    • Do we have the list (Chris Lyon was going to provide) of security basics?
      • Les: Michael Coates has been filing good security bugs that need addressing - are these bugs "it", or is there more?
    • What has been implemented and what needs to be done?
      • Les: Hoping to review the security review bugs starting next week.
    • Who should implement?
      • Les: Probably me.
    • How long will it take?
      • Les: Not sure, pending a close look at the bugs so far.
  • Notification system
    • Who should be notified when changes happen?
      • Les: A list would be nice; that, and/or I could look at building an admin tool and per-user preferences to manage who gets notifications
    • Who should be on the hook to confirm changes?
      • Les: Hopefully not me; would be nice to have someone security-minded and plugin-informed to keep on top of it. I can help build the tools, but would rather not also be the manager of the data.
    • Who builds this into the directory?
      • Les: Probably me.
  • Passwords
    • Already changed admin and editor passwords.
      • Les: Thanks, Austin.
    • What about the blanket password for stage site?
      • Les: Do we want this? Could be a matter of a simple IT bug to create an .htaccess / .htpasswd, unless we want LDAP passwords (ie. a less-simple IT bug)
    • Who owns this?
      • Les: Probably me.
  • Connections between Plugin Dir and Check:
    • How do add the ability to shut off the connection if data is compromised?
      • Les: Probably best to build something into the Plugin Check page that displays a "service not available" message if the Plugin Directory serves up an error.
    • What should be the fallback data (good data) if such a shutoff were needed?
      • Les: No fallback data; there should be an admin panic switch in the Plugin Directory to cut off the API and serve up errors.
    • How do we make sure that data is "good"?
      • Les: There is no way, as far as I know.
    • Who owns this?
      • Les: Probably me.
  • Auditing Tools
    • Need tools to be able to audit activity with Plugins.
    • Need to create logs in order to track activity.
      • Les: What I have in mind: create a log table that records all changes to public plugin metadata (eg. not sandboxes) by time, user, and action - and will save backups of plugin metadata between each major change to enable rollbacks.
    • File an IT ticket to audit past activity/current activity on PMO.
      • Les: What kind of information is wanted? ie. just need apache logs pulled, more?
    • How does QA fit into this in order to follow what should be tested, what has been tested, what as defined as good data?
    • Who owns this?
      • Les: Probably me - at least in terms of building audit tools going forward.

Security

  • Plugin Directory
    • Should Security own this? If not, who does?
      • Les: Would be nice to have stakeholders from Security and Firefox devs involved with plugins giving feedback on the project, but it's probably a WebDev effort.
    • If so, when does the hand off happen and who should lead this project?
      • Les: Probably me.

QA

  • Progress on test plan?
  • Concerns, issues?

Roundtable

Les

  • I'll be in Mountain View, 4/5-4/9 - there's mention of a Brown Bag, but maybe there needs to be more of a planning meeting?
  • The probably-me's up there add up to potentially a lot of work (eg. more than 2 weeks), and I'll be distracted by travel and other projects getting started with Q2.
  • This project hasn't been my top priority, and has only gotten about 20% of my time in Q1.
  • It could use more attention, both from me and other possibly interested parties (eg. Security folks, Firefox devs dealing with plugins, vendors).
  • Is this thing really ready for primetime, even after the security bugs have been addressed? Need some 2nd opinions here.
    • Is the anonymous crowdsourcing of plugin data and security tips actually a good idea?
      • ...or is it too obscure for anyone not already a vendor representative or directory editor anyway?
    • Does the plugin editing / sandbox workflow process make sense?
    • Needs better basic admin tools - eg. user admin, audit tools
  • To launch the updated Plugin Check, yet not fully launch the Plugin Directory:
    • Turn on LDAP passwords for staging *and* production, except for the search API at http://plugins.mozilla.org/pfs/v2
    • Dogfood the Directory as a (semi-)private tool to update Plugin Check for now, until it's had more time in the oven.
    • Pull back from vendor invitations to the Directory, for now?
      • Unless we give them LDAP passwords, and trust them, and apologize for feeding them my dogfood :)
Retrieved from "https://wiki.allizom.org/index.php?title=Plugins:PluginDirectory:2010-03-26&oldid=211072"