Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2566733003:
Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. (Closed)
|
Created:
4 years ago by Will Harris Modified:
4 years ago CC:
chromium-reviews Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionAnnotate Trusteer Rapport < 3.6 as incompatible with Chrome.
BUG=671194
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng
TEST=manual, install Trusteer Rapport, verify dialog appears.
Committed: https://crrev.com/07a5425d95dc96b3d0a3bd8acad943cf0f4cd2fb
Cr-Commit-Position: refs/heads/master@{#437729}
Patch Set 1 #
Messages
Total messages: 21 (10 generated)
Description was changed from ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 ========== to ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng ==========
Description was changed from ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng ========== to ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng ==========
wfh@chromium.org changed reviewers: + chrisha@chromium.org, jschuh@chromium.org
chrisha -> PTAL jschuh -> for approval of the general approach.
Description was changed from ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng ========== to ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng TEST=manual, install Trusteer Rapport, verify dialog appears. ==========
On 2016/12/10 00:07:44, Will Harris wrote: > chrisha -> PTAL > > jschuh -> for approval of the general approach. I will lgtm the general approach, without commenting on why we would support a RecommendedAction other than UNINSTALL. /s
wfh@chromium.org changed reviewers: + finnur@chromium.org
wfh@chromium.org changed reviewers: + pmonette@chromium.org
it seems finnur is the owner of enumerate_modules_model* - can you take a look? alternatively, pmonette also seems to have touched this code recently
lgtm
The CQ bit was checked by wfh@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 1, "attempt_start_ts": 1481331520269040, "parent_rev":
"7538013716114a255105019b5ec55c5e1e31579c", "commit_rev":
"3059ffe1e627250c991ba0938352bec89d6f4211"}
Message was sent while issue was closed.
Description was changed from ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng TEST=manual, install Trusteer Rapport, verify dialog appears. ========== to ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng TEST=manual, install Trusteer Rapport, verify dialog appears. Review-Url: https://codereview.chromium.org/2566733003 ==========
Message was sent while issue was closed.
Committed patchset #1 (id:1)
Message was sent while issue was closed.
Late to the party LGTM. jschuh: the actions are inherited from the old conflicts code, and I made no changes. I agree that the messaging needs to be reworked, and I've started a thread to talk about this. On Fri, Dec 9, 2016, 21:35 commit-bot@chromium.org via codereview.chromium.org <reply@chromiumcodereview-hr.appspotmail.com> wrote: > Committed patchset #1 (id:1) > > https://codereview.chromium.org/2566733003/ > -- You received this message because you are subscribed to the Google Groups "Chromium-reviews" group. To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
Message was sent while issue was closed.
This file has changed significantly since I worked on it; I think chrisa@ is probably a better candidate to approve this change (and already has). But I must say I was a bit surprised to see the blacklist removed in favor of a whitelist. I'm not against it or disappointed, it just didn't appear on my radar (and I agree that maintaining the list was a bit onerous). But, now we've come full circle and we're adding a blacklist again, which I find a bit amusing. :) Taking a step back, though -- I don't see a whitelist implementation, because (up until this change) I don't see any modules being called out as bad. Was everything considered to be on the whitelist up until then? If we're going for a whitelist approach, why isn't Trusteer Rapport >= v3.6 on the whitelist, instead of < v3.6 being on the blacklist? > I will lgtm the general approach, without commenting on why we would support a > RecommendedAction other than UNINSTALL. /s I can provide a bit of background for the different recommended actions... https://cs.chromium.org/chromium/src/chrome/browser/win/enumerate_modules_mod... The old system was designed to be able to annotate a module and/or point to a Help Center article to explain the problem and possible remedies -- without having to wait for the Help Center content to appear (or change the client afterwards to point to the new HC article). We could just blacklist and provide a link that the HC would redirect to a generic blacklist explanation support article until they had time to catch up and write the right response. Why would an HC article be necessary? Well, in some cases, uninstall is complicated/messy. In some cases, the upgrade path/how to avoid injecting the DLL isn't obvious, and in some cases we envisioned we might need a more nuanced recommendation, which could only be explained in more details than the about:conflicts page has space for. We'd normalized windows paths to env %path%'s and hashed them and the names to construct links to point to the HC. Which had the side effect of making updates to the list a bit onerous (constructing hashes). But the system could find suspicious DLLs which had Microsoft/Lenovo/Logitech DLL names, but were loaded in the user's directory, for example, and call them out specifically -- without calling out the official DLL. We also had a UI bubble, notifying the user when there was a particularly-bad-guaranteed-crash waiting to happen, which I believe is what NOTIFY_USER was used for and that was used to proactively warn XP users at one point a few years back when crashes went through the roof due to a conflicting DLL. Anyway, that's the background, if it helps.
Message was sent while issue was closed.
Description was changed from ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng TEST=manual, install Trusteer Rapport, verify dialog appears. Review-Url: https://codereview.chromium.org/2566733003 ========== to ========== Annotate Trusteer Rapport < 3.6 as incompatible with Chrome. BUG=671194 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng TEST=manual, install Trusteer Rapport, verify dialog appears. Committed: https://crrev.com/07a5425d95dc96b3d0a3bd8acad943cf0f4cd2fb Cr-Commit-Position: refs/heads/master@{#437729} ==========
Message was sent while issue was closed.
Patchset 1 (id:??) landed as https://crrev.com/07a5425d95dc96b3d0a3bd8acad943cf0f4cd2fb Cr-Commit-Position: refs/heads/master@{#437729}
Message was sent while issue was closed.
On 2016/12/12 11:46:06, Finnur wrote: > This file has changed significantly since I worked on it; I think chrisa@ is > probably a better candidate to approve this change (and already has). > > But I must say I was a bit surprised to see the blacklist removed in favor of a > whitelist. I'm not against it or disappointed, it just didn't appear on my radar > (and I agree that maintaining the list was a bit onerous). But, now we've come > full circle and we're adding a blacklist again, which I find a bit amusing. :) > > Taking a step back, though -- I don't see a whitelist implementation, because > (up until this change) I don't see any modules being called out as bad. Was > everything considered to be on the whitelist up until then? If we're going for a > whitelist approach, why isn't Trusteer Rapport >= v3.6 on the whitelist, instead > of < v3.6 being on the blacklist? > > > I will lgtm the general approach, without commenting on why we would support a > > RecommendedAction other than UNINSTALL. /s > > I can provide a bit of background for the different recommended actions... > https://cs.chromium.org/chromium/src/chrome/browser/win/enumerate_modules_mod... > > The old system was designed to be able to annotate a module and/or point to a > Help Center article to explain the problem and possible remedies -- without > having to wait for the Help Center content to appear (or change the client > afterwards to point to the new HC article). We could just blacklist and provide > a link that the HC would redirect to a generic blacklist explanation support > article until they had time to catch up and write the right response. > > Why would an HC article be necessary? Well, in some cases, uninstall is > complicated/messy. In some cases, the upgrade path/how to avoid injecting the > DLL isn't obvious, and in some cases we envisioned we might need a more nuanced > recommendation, which could only be explained in more details than the > about:conflicts page has space for. We'd normalized windows paths to env > %path%'s and hashed them and the names to construct links to point to the HC. > Which had the side effect of making updates to the list a bit onerous > (constructing hashes). But the system could find suspicious DLLs which had > Microsoft/Lenovo/Logitech DLL names, but were loaded in the user's directory, > for example, and call them out specifically -- without calling out the official > DLL. We also had a UI bubble, notifying the user when there was a > particularly-bad-guaranteed-crash waiting to happen, which I believe is what > NOTIFY_USER was used for and that was used to proactively warn XP users at one > point a few years back when crashes went through the roof due to a conflicting > DLL. > > Anyway, that's the background, if it helps. The blacklist was removed because it wasn't being used, and we didn't anticipate wanting to use it again in the near future :/ We're still planning on moving to a whitelist, however, and actually blocking third party libraries from being loaded (as much as is it is reasonably possible to do so). We'll be using chrome://conflicts messaging in the transition period before we actually start blocking modules from loading. We plan on reusing the notification and link mechanism for this purpose. (None of that code was removed, simply the blacklist implementation itself.)
Message was sent while issue was closed.
A revert of this CL (patchset #1 id:1) has been created in https://codereview.chromium.org/2577533002/ by wfh@chromium.org. The reason for reverting is: These issues have been resolved in the latest update from Trusteer.. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
