From:  Justin Dolske <dolske@mozilla.com>
Date:  19 Jul 2016 05:07:11 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.security
Subject:  

Re: BMO Component for Master Password bugs

NNTP-Posting-Host:  63.245.214.181

On 7/14/16 3:50 PM, Matthew N. wrote:

> Does anyone want to nominate an existing component as the place to move
> master password bugs that aren't consumer-specific? If not, I propose
> creating a new component e.g. "Core::Security: Master Password" to move the
> bugs to.

I think the technically correct answer ("the best kind of correct") is 
that most MP bugs belong in NSS::Libraries and Core::Security: PSM, 
since that's where the actual implementation is. (For those who don't 
know: the "master password" is nothing more than a PKCS#11 token PIN.)

But that's pretty non-obvious to anyone not working in the code, and I 
don't think having the bugs live there makes them any more likely to be 
fixed.

I suggest just keeping Toolkit::PasswordManager as the default place 
until such time as we can switch a master password implementation that's 
not based on a crufty old token PIN. That's where they're most likely to 
get filed/triaged to in the first place, anyway.

This is a small number of not-really-new bugs, so I'm not really sure it 
merits its own component, either.

Justin