02. November 2003

Bugzilla 2.16.4, 2.17.5 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.5 developer snapshot. For details on the newest features and bugfixes, see the new status update. The 2.17.5 snapshot also contains multiple security fixes.

Also released today is Bugzilla 2.16.4. Version 2.16.4 is the latest stable Bugzilla release, and fixes multiple security bugs in Bugzilla 2.16.3. Read the security advisory below for details.

• 2.16.4 Release notes
• Security Advisory
• Download page

01. October 2003

Korean Localization Available

by Bugzilla Team

The download page has been updated with a Korean localization for Bugzilla 2.16.3.

14. September 2003

New Localizations Available

by Bugzilla Team

The download page has been updated with additional localizations of Bugzilla.

New Languages:

• Belarusian (2.16.3)
• French (2.16.2)

Updated versions:

• Chinese (2.17.4)

Many thanks to the localizers for taking on this thankless job!

24. April 2003

Bugzilla Status Update

by J. Paul Reed (preed)

Introduction

The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.3, a maintenance release, and 2.17.4, a new developers’ release.

2.16.3 continues the Bugzilla Team’s support of the stable Bugzilla branch, fixing a couple of important security vulnerabilities and other bugs for 2.16 Bugzilla users.

2.17.4 continues our march toward 2.18, offering new features for developers to play with and refine, and new toys for users who like living on the edge, even though many organizations–mozilla.org included–are using the 2.17 developers’ branch without incident.

Users on both branches should upgrade to today’s releases. Both contains fixes for multiple cross-site scripting issues and an insecure temporary filename vulnerability. For specifics, see the Bugzilla security advisory on these vulnerabilities.

2.14.x users may be affected by at least one of these security vulnerabilities (bug 197153), and are encouraged to upgrade. The Bugzilla Team has officially stopped supporting the 2.14 branch. Also, the 2.16/2.17 branches have lots of cool new goodies on them!

If you’re wondering about the Win32 situation, it has improved slightly on the 2.17-branch, but “out of the box” Win32 support, on either branch, is still, unfortunately, unchanged. However, the Bugzilla Team is currently discussing the status of “out of box Win32 support” in 2.18 and it is likely to remain a release goal.

The Road to 2.18

The Bugzilla team has started reviewing goals for the 2.18 release. This includes deciding what’s important to keep on the list and what might get pushed off.

As far as timing goes, the Bugzilla Team is not going to set a date; doing so has bit the project too many times in the past. The answer to “when is 2.18 coming out?” will continue to be “When it’s done.” However, the Team understands the need to do it sooner rather than later, so post-release, we’ll be focusing on reducing the list of 2.18 goals. If we can pare this down appropriately, 2.17.5 may be the last developer release prior to the 2.18 release candidates. That may or may not be realistic, but it’s a seemingly sensible plan to work from.

The Bugzilla roadmap contains a number of 2.18 goals. If you don’t see a feature or fix you feel is necessary for 2.18 on that list, now is the time to make your case to the module owners. Also, be looking for bugs you’re interested in to be retargetted in the next few days. If you’re significantly concerned about this process, considering joining the Bugzilla developers’ mailing list.

A good initial summary of the Team’s current thinking on goals can be read in this [email protected] thread.

Upcoming Major Features

The following is a list of major new features the Bugzilla Team is currently working on. You can find more information, including implementation/design discussions, proposed landing dates, and status in the bug reports below. These are also features that the Bugzilla Team would appreciate help on, so if one of the features below interests you, feel free to jump into the fray!

• Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
• PostgreSQL support. (Bug 98304)
• Sybase support. (Bug 173130)
• Ability to add generic customized fields to bugs (Bug 91037)
• Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
• Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
• mod_perl support. (Bug 87406)
• New makefile-based installation system (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
• Generic charting. Allows users to define arbitrary data sets for which historical data will be recorded, and then plot those data sets. (Bug 16009)

New Bugzilla Features

</a>

In-core processmail

Bug 124174, processmail as a package, has finally landed. This bug moves bug mail handling (mail from bug submissions/changes) from the venerable external processmail script, the source of much porting pain and some security issues, into a new module Bugzilla::BugMail.

This change moves the actual sending of mail into the same Bugzilla core process handling web requests. This change will make Win32 porting easier and has significantly sped up bug mail handling (Bug 178153) for large bug changes. The checkin also cleans up the mail sub-system interface and backend, meeting–along with Win32 support–a number of 2.18 goals.

Authentication module/LDAP improvements

As part of the ongoing preparation for mod_perl, Bugzilla’s authentication mechanisms have been modularized, making pluggable authentication schemes for Bugzilla a reality. Both the existing database and LDAP systems were ported as part of modularization process. Additionally, the CGI portion of the backend was redesigned to allow for authentication from other sources, including (theoretically) email, which will help Bug 94850.

As part of this conversion, LDAP logins now use Perl’s standard Net::LDAP module, which has no external library dependencies. This is a departure from using the Mozilla::LDAP modules, which relied on the Netscape LDAP SDK.

Bugzilla mod_perl support

Work continues on updating Bugzilla to support mod_perl, a performance and modularization win. In addition to the authentication module re-org, patches are pending (not included in 2.17.4) to move Bugzilla user handling into a module. With these and other patches, show_bug.cgi (and other minor pages) now support mod_perl, but have not been extensively tested, and are mostly a proof-of-concept at this point.

Initial testing is very encouraging; some very raw performance data suggests that for a simple bug with 5 comments, load times decrease from 0.6 seconds to 0.15 seconds on an unloaded P4-2.4GHz machine.

Despite this, mod_perl support is not yet ready for prime time. Lots of the work is very ‘hacked together’, and the patches only support mod_perl installations, to the detriment of normal CGI/Bugzilla installations. This will, of course, be fixed before checkin.

The major factor inhibiting mod_perl support is the lack of development time and the lack of time for other Bugzilla developers to review patches. If you’re interested in helping Bugzilla increase performance with mod_perl, check out bug 87406.

JS versions of buglists

Buglists are now available as JavaScript structures in addition to HTML and RDF. This allows features like the “update buglinks” bookmarklet, which will update the state of all the buglinks in a page to have the correct status and tooltip.

Perl on the “move” from /usr/bonsaitools/bin to /usr/bin

One of the most common support requests was what this “bonsaitools” directory was all about, and how could the Perl location Bugzilla expects be changed from that to the more standard /usr/bin. This request was never fulfilled because Bugzilla’s primary installation, bugzilla.mozilla.org, needed to have Perl installed in a location other than /usr/bin and a longstanding rule for Bugzilla development has been “don’t break mozilla.org.”

Because of server changes at mozilla.org, a bonsaitools was no longer required for them. After a quick message to the Bugzilla newsgroups and mailing lists asking if anybody else relied on this path, it was determined that finally getting this change checked in wouldn’t affect many people, so the oft-requested feature was finally completed.

More information can be found in bug 196433.

Doc changes

Matthew Barnson, the original author of much of the Bugzilla Guide, has recently been swamped by life. Jacob Steenhagen was gracious (and foolish) enough to volunteer to take over. In an attempt to “sync up” the documentation, Jake has been focusing on backporting relevant changes to the documentation to the 2.16 branch. Many items in the guide have received love, but the most notable ones include:

• Section 4.3 - OS Specific Installation (New in Devel) - Moved a lot of stuff that is specific to the OS (or distribution) out into a special section. The next step is to make the installation instructions more generic as there are still some OS specific hints, etc.
• Section 4.4 - HTTP Server Configuration (New in Devel) - Moved some information that is specific to the web server being used into its own section. I currently have varying amount of information for Apache, IIS, and AOL Server.
• Section 5.5 - Group Security (Devel) - Because the tip has a new security model the docs needed updating for the tip.
• Section 5.6 - Bugzilla Security (2.16 and Devel) - This section has been cleaned up considerably. It also now contains information that used to be scattered about in different sections.
• Section 5.8 - Upgrading (2.16 and Devel) - Add a lot of information about upgrading along with specific instructions and examples for 3 different ways to get the latest code.
• Many Misc. FAQ Updates (2.16 and Devel)
• Finally moved everything to the xml/ directory. For quite some time now, the documentation has been using the DocBook 4.1.2 XML doctype but still residing in a directory named sgml/ and having file names ending in the .sgml extension. The master documentation files now live in the xml/ directory and have .xml extensions.

Please join the Bugzilla team in welcoming Jake back! Documentation is often the most overlooked and under-appreciated task of any open source project, so if you see Jake on IRC, be sure to thank him!

Improved localization support

With the landing of Bug 126955, support for localized Bugzilla templates has improved tremendously. Bugzilla administrators can now configure which languages are supported by their installations and automatically serve correct, localized content to users based on the Accept Language header sent from users’ browsers, providing the appropriate language for a user with minimal configuration on their part.

There are currently localized templates available for Chinese, German, Spanish (Spain or Mexico) and Russian. These localized template packs are third-party contributions, may only be available for specific versions of 2.16 or 2.17, and may not be supported in the future.)

Trunk Checkins Since the Last Status Update

</a>

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the trunk from 01/02/2003 to 04/24/2003. This list was generated by filtering Bonsai’s output on that query.

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

• Versions numbers were bumped and release notes updated
• (1/4/03, 2/19/03, 4/1/03, 4/22/03) Documentation updates (Jake)
• (2/16/03) Allow runtests.pl to let you specify a test number to run (justdave)

• (1/12/03) XUL Chrome should use

  content

  over

  _content

  (in sidebar.cgi). (caillon)

Checkin manifest:

• Bug 179510 - Fix to take group restrictions into account when sending request notifications
• Bug 172331 - importxml.pl warnings under perl 5.8
• Bug 179513 - take N. Fix the bracketing so that it actually works…
• Bug 201018 - editusers.cgi never calls DeriveGroup prior to changing a bug
• Bug 197153 - Add wording schange requested by reviewer which wasn’t in the patch on the bug, and so wasn’t checked in.
• Bug 193965 - On product change, user can accidentally opt-out of required group restriction
• Bug 197153 - Fix for insecure temporary filename handling.
• Bug 192661 - Dependency graphs were printing bug summaries without HTML filtering.
• Bug 192677 - Add new test to flag failure-to-filter situations in the templates, and correct the XSS holes that were discovered as a result of it.
• Bug 198458 - Added LDAP Sync script contributed by [email protected] (Thomas Stromberg) to the contrib directory.
• Bug 202744 - Removing unnecessary output from collectstats.pl cron job
• Per bug 200472 - Changing the version information for Date::Parse (any) to instead specify Date::Format (2.21).
• Fix typo in previous checking for bug 200472 - Date::Format should be version 2.21.
• Bug 200472 - Require specific version of Date::Format to ensure we don’t run into a bug in an older version that we’re triggering.
• bug 202534 - Login with unrestricted IP address fails - tries to access missing get_netaddr
• Bug 71790 - Duplicate resolution field should include bug number of original
• Bug 199012 - Default (and b.m.o.) bug email should have “change prefs” line.
• Fix for bug 200961 - unhorks display of bug ID in RDF version of bug list.
• Bug 200072 - Creating new users from LDAP at authentication time is broken
• Bug 190589 - sidebar.cgi should link to report.cgi instead of reports.cgi for consistency
• Bug 199813 - Make all users of ThrowUserError pass $vars in explicitly.
• Bug 195424 - Add a note about new MySQL permissions needed for Bugzilla in MySQL 4.
• Bug 194541 - Dot is a binary executable, not a perl script so we don’t need to prefix the system call with the perl binary. There are no more system calls of perl scripts in Bugzilla, so this section can go away.
• Bug 171674 - Adding a section to the Troubleshooting section describing how to fix the File::Temp problems in perl 5.6.0.
• Bug 195530 - Make javascript version of buglists available.
• Bug 80157 - Add “regenerate” option to collectstats.pl.
• Bug 192121 - Javascript error in guided bug entry.
• Bug 197689 Missing Query - The query named $name seems to no longer exist.
• Bug 65319 editmilestones & editversions don’t have extra add.
• Bug 196433 - Bugzilla now uses /usr/bin/perl as the shebang line
• Bug 195621 - Back out taint-related changes from bug 160710.
• Bug 190892 - Radio button for “run this query” looks silly if it’s the only choice. Make it a hidden input if it’s the only one.
• Bug 180642 - Move authentication code into a module
• Bug 195695 - Requesting a non-existent format results in an Internal Error
• Bug 197180 - Long comment names not flagged as an error
• Bug 193989 - EmailSuffix wasn’t getting used for password change tokens. Also removes real name from To: header which wasn’t being escaped properly for RFC2822 specs.
• Bug 194917 - Javascript missing HTML comments in flag list.
• Bug 190848 - Adding a new product results in a software error.
• Fix for bug 191051 - make substring searches actually do substring instead of anyexact.
• Bug 196101 - use ANSI-compliant SQL for group checks in sanitycheck
• Bug 194345 - checksetup.pl would die if you had your params set for a local dot, and the executable didn’t exist. The polite error message it was supposed to print works now.
• Bug 196420 - jsmagic for add/and/or in boolean charts isn’t working
• Bug 156436 IBM Web Browser is unrecognizedpatch by [email protected]
• 180692 - enter_bug shows keywords option even if keywords are disabledFix broken tree.
• Bug 180692 - enter_bug shows keywords option even if keywords are disabled
• Bug 195137 - Keywords are not sent in new bug mail
• Bug 194744 - fix dead link to confirmhelp.html.
• Bug 183017 - Only numbers displayed when bar chart contains too many products.
• Bug 194394 - Internal error after turning useqacontact off
• Bug 186689 - Should be able to set all/clear all email options in user preferences with one click.
• Bug 194426 - “usequips” was renamed improperly in the backward-compatibility Param code.
• Bug 194172 - move.pl was sending empty bugs because of failure to initialize the field list for the new “XML Summary” mode.
• Bug 193985 - errors from SendSQL aren’t being reported
• Bug 135820 - token cancellation message are not user-friendly
• Bug 193511 - post_bug page has two headers.
• Bug 186994 - Unable to accept a new bug that has been assigned.
• Bug 191537 - Improvements to the security section.
• Bug 192877 - State changes on bugs w/ dependencies cause “Use of uninitialized values” in BugMail.pm;
• Bug 193286 - Field validation errors had the wrong page title
• Bug 192531 - Bugzilla not properly closing DB statement handles. Change code to work arround a perl < 5.8 leak when localising the tiedstatement attributes. Also, clear the sql statestack compat stuff so thatthe handles are really dead by the time we disconnect
• Bug 177997 - Update the AOL Server section with the new configuration information.
• Bug 192511 - Removing all occurances of ‘processmail’ from the documentation now that bug 124174 is FIXED.
• Bug 192874 - checksetup.pl wasn’t silencing the GraphViz check when running in silent mode.
• Bug 58020 - include bug summaries in whinemail.
• Bug 192513 - importxml.pl and move.pl now use the new mail routines introduced in bug 124174 (they got broken when processmail was removed). Also fixes several comments referring to processmail (which no longer exists) in other files, and removes references to processmail from the .htaccess files and the executable file list in checksetup.pl.
• Partial fix for bug 192513 (processmail cleanup). Patch fixes test filesto disregard processmail since it no longer exists (it was special-casedbefore).
• Bug 124174 - make processmail a package (Bugzilla::BugMail),
• Bug 192393 - $::dbwritesallowed never set
• Bug 192340 - ‘unknown_keyword’ error doesn’t mention keyword
• Bug 192182 - editflagtypes uses ^ instead of **
• Bug 191020 - back out bits of generic charting checked in by mistake. Apologies.
• Bug 191020 - buglist.cgi doesn’t always get query names right for filename to save.
• Bug 191863 - Clean up Bugzilla.pm
• This checkin contains two fixes:* Bug 191971 - The guide incorrectly stated that you could resolve a bug via email* Provide an example of a glossary term in the document conventions section
• Bug 172434 - add link to latest nightly.
• bug 191087 - process_bug.cgi: “Mid-air collision!” title when not allowed to change a field
• Bug 191085 - Fix FetchSQLData compat code.
• Bug 191034 - step 1 - Refactoring the installation chapter to provide sections for OS Specific notes and configuration help on multiple web servers. Also added some terms to the glossary.
• Bug 191080 - fix SQLQuote return value for an undef input
• bug 190999 - Quips.cgi editing doesn’t show quips author – s/FetchSQLData/FetchOneColumn/
• Spell servlet correctly. Also, Scarab is now at Version 1.0 Beta 13 - as long as I’m updating…
• Bug 190582 - quips table initial definition in checksetup.pl missing approved column
• Bug 190521 - If the attachment didn’t have a Content-Description: header in the e-mail, it ended up not having a description in Bugzilla leaving nothing to click on in the Attachment table on the bug form.
• Bug 190437 - showdependencytree.cgi and showdependencygraph should use switch_to_shadow_db
• Bug 106918 - the “movers” param was not being interpreted correctly by move.pl or the show_bug template. Also the exporter value was not properly fed into the xml template.
• Bug 126955 - Bugzilla should support translated/localized templates.
• Bug 190197 AnyEntryGroups() is broken in globals.pl; call from enter_bug.cgi breaks bug enteringpatch by [email protected]
• Bug 188712 Apple’s Browser Safari does not support server-pushpatch by [email protected]
• Bug 189446 - Can’t change product of a bug
• Bug 188161 - assignee/qa missing change knobs.
• Bug 189790 voting info not displayed when editing/viewing a bugpatch by [email protected]
• Fix for bug 184909 - show status whiteboard on bug lists when the user requests it.
• Bug 105692 - Script to compile all docs directories.
• Bug 136603 - show_bug.cgi’s XML retrieval needs a summary mode.
• Bug 184309 - Adds an optional disabled state to quips, which allows quips to be moderated if the admin so chooses.
• Bug 148093 - editmilestones.cgi shows ‘xyzzy’ as product bug count.
• Bumping minimum versions for DBI and DBD::mysql to match what was just checked in for bug 163290.
• Bug 163290 - move DB handling code into a module
• Bug 156169 - Bug number styling issues in attachment viewer/editor.
• Bug 187566 - Making the upgrading section much clearer and presenting multiple possible methods (CVS, tarball, patch).
• Bug 153874 - Query in sidebar wasn’t working
• Bug 188656 Change required mysqld minimum to 3.23.41
• Fix for bug 166481 (“Spellcheck is borked”). Part one of this fix fixes the spelling errors so tinderbox doesn’t barf, part two fixes t/006spellcheck.t and adds some more new words to check for.
• Bug 142104 - Enhancements in buglists should be gray.
• Bug 179328 - Mozilla-specific wording in duplicates.cgi explanation text.
• Bug 187869 long_list.cgi output includes <font =”+3”> before each bug summary
• Bug 186920 - Loosen checking for Windows ME user-agents.
• Bug 181047 - Change non-output templates to have a ctype of “none”.
• Bug 187837 - Unify showing and editing of quips.

2.16 Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the 2.16 branch from 01/02/2003 to 04/24/2003. This list was generated by filtering Bonsai’s output on that query.

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

• Versions numbers were bumped and release notes updated
• A bunch of highly useful documentation updates (Jake)
• Allow runtests.pl to let you specify a test number to run (justdave)
• Update template tests to also catch localized template versions during testing (justdave)

Checkin manifest:

• Bug 172331 - importxml.pl warnings under perl 5.8
• Bug 197153 - Add wording schange requested by reviewer which wasn’t in the patch on the bug, and so wasn’t checked in.
• Fixing tinderbox test failure resulting from the checkin for bug 197153
• Bug 197153 - Fix for insecure temporary filename handling.
• Bug 194394 - Someone listed as QA contact on a bug could still access a bug with QA contact privileges if “useqacontact” was later disabled via the parameters.
• Bug 192661 - Dependency graphs were printing bug summaries without HTML filtering.
• Bug 192677 - Add new test to flag failure-to-filter situations in the templates, and correct the XSS holes that were discovered as a result of it.
• Fix (on the 2.16 branch) for bug 160279 - checksetup.pl doesn’t check permission on data/comments. Patch adds a fixPerms() call for data/comments.
• Bug 194125 - CGI.pl perl warning: Character in “c” format wrapped
• Bug 195424 - Add a note about new MySQL permissions needed for Bugzilla in MySQL 4.
• Bug 171674 - Adding a section to the Troubleshooting section describing how to fix the File::Temp problems in perl 5.6.0.
• Bug 197180 - long component name not flagged as error. Because of a mismatch between the size of bugs.component and components.program, this caused silent failures when creating/moving bugsin that component.
• Port security section rewrite from bug 191537 to the 2.16.3 docs
• Bug 157704 - Deleting a product could potentially remove privileges from administrators.
• Bug 191971 - The guide incorrectly stated that you could close a bug by sending an email with the code in contrib/
• Bug 188757 - 2.16 shipped with the problem mentioned in bug 174255 and that fix was never ported to 2.16’s documentation, so the error was still on bugzilla.org.
• Bug 187566 - Update upgrade section in the 2.16 branch as was done on the tip

24. April 2003

Bugzilla 2.16.3, 2.17.4 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.4 developer snapshot. For details on the newest features and bugfixes, see the new status update. The 2.17.4 snapshot also contains multiple security fixes.

Also released today is Bugzilla 2.16.3. 2.16.3 is the latest stable Bugzilla release, and fixes multiple security bugs in Bugzilla 2.16.2. Read the security advisory below for details.

• 2.16.3 Release notes
• Security Advisory
• Download page

16. January 2003

Bugzilla Getting Exposure at LinuxWorld

by Bugzilla Team

Bugopolis is showing off their Bug Station, a server hardware product that comes with Bugzilla pre-installed on it, at the LinuxWorld expo next week. IDG (the event promoters) announced today that the Bug Station was a finalist in the LinuxWorld Open Source Product Excellence Awards, in the Best Developer Tools category. The Bugzilla Team offers their congratulations to Bugopolis for becoming a finalist, and best wishes at the show! Read IDG’s press release.

02. January 2003

Bugzilla Status Update

by J. Paul Reed (preed)

Introduction

The Bugzilla Team is pleased to announce the release of three versions of Bugzilla today: 2.14.5, 2.16.2, and 2.17.3:

• 2.14.5 is a maintenance release on the 2.14 branch; it contains a couple of security-related bug fixes.
  Note: this is the last 2.14.x release, as the Bugzilla Team has officially stopped supporting the 2.14 branch.

• 2.16.2 is a maintenance release on the 2.16 branch, containing a couple of security-related bug fixes.
  It is recommended that all production installations upgrade to 2.16.2 to make sure they get the fixes for these security bugs.

• 2.17.3 is the latest developers’ snapshot release from the trunk; it contains the above security bug fixes as well as tweaks to features in 2.17.1 (bug and attachment flags, enterprise groups, etc.). This release is a developers’ release and is not generally intended for production use.

The security bug fixes on the 2.14.x and 2.16.x branches and the trunk all address the same security bugs. These bugs address cross site scripting vulnerabilities (which the Bugzilla Team already released an announcement about), and sensitive directory and file permissions. In all cases, local server compromises aren’t possible, but unrestricted Bugzilla database access is possible.

Unfortunately, none of these release address the Win32 situation which is still unchanged.

What Happened to 2.17.2?!

Bugzilla project observers may note that we’re releasing a 2.17.3 developers’ release without having released a 2.17.2 version.

This was due to an overzealous Bugzilla developer (JayPee) who tagged the 2.17.2 release in CVS before it was quite ready to be released. Because of the holiday season and a couple of other bugs that were found, the Team decided to hold the release of 2.17.2 until after the holidays.

But, some astute users noticed the new, incorrect tag and had already started to pull it from CVS. Therefore, to minimize confusion, and signify that other patches had been checked into the tree after what had been dubbed “2.17.2” was tagged, the Team decided to bump the version number to 2.17.3.

Developers (and anyone else) do not want the 2.17.2 “release”; they want 2.17.3.

Check-in Policy Update

As Bugzilla project lead Dave Miller announced in the last status report, the Bugzilla project has changed its policies regarding check-ins. The new policy institutes an “approval” process for check-ins and comes as an addition to our existing review policy.

Previously, to check something into Bugzilla’s CVS tree, developers were only required to get the approval of one or two people on the review team. That process is now augmented by a requirement of obtaining approval on the patch from the project lead or a designee before it can be checked in. Current “designees,” if there are any, are noted in the #mozwebtools topic. This won’t amount to a code review, but rather a ‘yes’ or ‘no’ on whether this feature or bugfix in this form at this time is the best course of action to fulfill Bugzilla’s design goals. Approvals are also being used to coordinate landing patches, so the approval flag generally won’t be set until there’s a patch ready to land. If you want to know if a patch you’re working on will likely be given approval for check-in before you expend effort on it, you can ask on the [email protected] mailing list.

Bugzilla developers and reviewers are adjusting to this new policy well, and it’s seemingly serving the Bugzilla project well. The quick release of another 2.17 developers’ snapshot, a mere six weeks after 2.17.1, provides good evidence of this.

Upcoming Major Features

The following is a list of major new features the Bugzilla Team is currently working on. You can find more information, including implementation/design discussions, proposed landing dates, and status in the bug reports below. These are also features that the Bugzilla Team would appreciate help on, so if one of the features below interests you, feel free to jump into the fray!

• Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
• PostgreSQL support. (Bug 98304)
• Sybase support. (Bug 173130)
• Ability to add generic customized fields to bugs (Bug 91037)
• Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
• Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
• mod_perl support. (Bug 87406)
• New makefile-based installation system (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
• Generic charting. Allows users to define arbitrary data sets for which historical data will be recorded, and then plot those data sets. Bug 16009.

New Bugzilla Features

Re-architected Product Groups

Bug 147275, re-architected product groups, has finally landed. In the 2.17.3 release, the entire mechanism for handling groups has been revised.

It is now possible to exert much more control over how groups and products are related. In editproducts.cgi, there is now a mechanism to permit you to edit the “Group Controls” for a product and determine which groups are applicable, default, and mandatory for each product as well as controlling entry for each product and being able to set bugs in a product to be totally read-only unless some group restrictions are met.

The patch author, Joel Peshkin, has noted that all of the possible scenarios have not been anticipated and this is a new feature, so please Cc him on all bugs you file against re-architected product groups.

Some examples of advanced uses for the re-architected product groups follow:

• Example: When several products need to be associated with the same default group (formerly a product group), instead of defining several groups with the same names as the products and managing memberships in each group, a single group can be defined to control access and that group can be set as a “Default” group for all of the products.
• Example: If certain products are never supposed to have a publicly accessible bug, define a group of all authorized users and set the groups control for those products to indicate that the group is Mandatory/Mandatory. This will place bugs in that group without giving the user any option at all.
• Example: Anyone can enter a security bug. Create a product for security bugs. Do not restrict entry to the product at all. However, set the Member/Nonmember permissions to Default/Mandatory for the security group. This will permit anyone to enter and members of the security group will be able to override the default group restriction while nonmembers will be forced to restrict the bug to the security group.

Replication/shadowdb removal

The shadowdb was a read only copy of Bugzilla’s database, which Bugzilla used for potentially expensive read only queries, such as from buglist.cgi. Due to MySQL’s table-level locking mechanism, long running queries block modifications and updates to the database; the shadowdb attempted to alleviate this bottleneck by creating a second database for these long running queries to use.

Previously, Bugzilla handled updates from the main database to the copy on its own by keeping track of every SQL update. These updates were then sent to the shadow database via a separate process (syncshadowdb). This process had several bugs and was inefficient.

With the landing of bug 124589, which added MySQL replication support to Bugzilla, and bug 180870, which removed the old manual syncing code, Bugzilla 2.17.3 is now able to use the replication facilities provided by the database to handle these updates. The system is now given the locations of the two databases, but leaves updating them to an alternative process. This simplifies the Bugzilla code, and enables further optimizations which were not possible when Bugzilla needed to capture all of an SQL UPDATE/INSERT command.

New “always-require-login” Parameter

This new parameter, added under bug 173761, allows administrators running commercial or sensitive Bugzilla installations to require users to present login credentials to access Bugzilla.

Bugzilla is most commonly used for open source projects, where anyone should be able to search for and view certain types of bugs. But some entities need to restrict these operations to logged in users; this parameter allows administrators to require a login on every Bugzilla page, except for the front page. If users try to access any page without login credentials (in the form of a valid login cookie) and “always-require-login” is set, they will be prompted for the information before being allowed to continue.

Attach and Reassign at Once

When developers attach patches or other attachments (testcases, etc.) to bugs, they will commonly reassign the bug to themselves shortly thereafter, since that developer is actively working on that bug. These used to be distinct steps, which generated two email messages and required Bugzilla users to attach their patch and then reassign the bug to themselves.

This patch, added as part of bug 116819 allows developers to reassign the bug to themselves and set the status to accepted during the attachment creation process. This effectively makes the above process one atomic operation, reducing bug spam and streamlining a very common process.

Trunk Checkins Since the Last Status Update

</a>

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the trunk from 11/17/2002 to 01/02/2003. This list was generated by filtering Bonsai’s output on that query.

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

• (12/28/02) Release notes update (mattyt)
• (12/21/02) Documentation rebuild (gerv)
• (11/21/02) Post-2.17.1 release documentation corrections (justdave)

Checkin manifest:

• Bug 186673 - Updating section on Red Hat Bugzilla and adding last updated lines to each of the variants.
• Bug 186962 - Update minimum versions of required software and move those versions to be ENTITY’s
• Bug 180005 - Bring the FAQ up to date.
• Bug 178230 - Update documentation for Entrprise Groups
• Bug 183388 - processmail wasn’t picking up on users being added to the owner or qa contact role and was dropping emails if the user had selected to only get mail on those events.
• Bug 186594 - $db_sock was not being exported from Bugzilla/Config.pm
• Bug 186337 - Param lookup should fall back to defaults
• Bug 186383 - Checksetup leaves editor backups of localconfig accessible
• Bug 180870 - Remove old shadowdb manual replication code
• Bug 173622 - Move template handling into a module.
• Bug 185760 - New group system doesn’t upgrade transparently if usebuggroups = 0
• Bug 186218 - importxml.pl was doing a query against the products table using the old schema
• Bug 185944 - radio buttons for adding/removing groups on the change-multiple-bugs screen all had the same name
• Bug 184949 - CSV buglists are missing the Bug ID column.
• Bug 185332 - Rewrite the description for timezone param (typo fixes etc.)
• Bug 158499 - Templatise XML bug output
• Bug 116819 - Attach and Reassign in one fell swoop.
• Bug 183188 - collectstats.pl no longer makes data/mining world-readable
• Bug 184256 Canedit group_control_map entry does not prevent making attachments
• Bug 184081 Change search interfaces to use Viewable products instead of enterable products
• Bug 184336 - default urlbase parameter on new installs now points at http://you-havent-visited-editparams.cgi-yet/ to a) relieve cvs-mirror.mozilla.org of all the hits, and b) give people who receive those emails a hint what to do to fix it.
• Bug 180955 - Remove dual-license from test files
• Bug 184365 - link to urlbase instead of index.cgi from “Top” link in navigation toolbar.
• Bug 86029 - create permission restrictions for createaccount.cgi (prevent people from creating accounts)
• Bug 159627 - quips should be editable and deleteable using the web interface
• Bug 176461 - Move descs strings from change-columns.html.tmpl tofield-descs.html.tmpl
• Bug 183843 - Query knobs are missing if requirelogin is set
• Bug 182946 - fix additional typo noticed on irc by tm
• Bug 182946 - fix regressions from bug 171493(Bug.pm/show_bug.cgi/bug_form.pl reorg)
• Bug 177850 - checksetup.pl was failing if the user didn’t have read permissions to the entire Bugzilla path
• Bug 178880 - Creation date is now displayed in the long list.
• Bug 182512 - Charts over time broken
• Bug 181951 - Cannot delete groups
• Bug 171493 - make show_bug use Bug.pm and remove bug_form.pl
• Bug 67077 - We now include the timezone (as configured in editparams.cgi) on every time we display.
• Bug 173761 Need ability to always require login
• Bug 114179 - Concentration, improvement, and templatisation of Bugzilla general user help system.
• Bug 181221 - CSV reports on 2-d tables have header messed up.
• Bug 181960 Reason for account being disabled is not shown
• Bug 180460 request.cgi doesn’t filter list of products/components
• Bug 181582 - reorders the table cells on the query page so that the list headers are grouped with the lists in Links and whenused with voice synthesis packages.
• Bug 147275 Rearchitect product groups
• Bug 180980 Doing 2 email searches fails when searching for CC list members
• Bug 180966 - warnings in webserver error log (take 2)
• Bug 181613 - $::ENV not being cleared
• Bug 181182 - Reporting fix pack 2. Fixes bug 179198 (Don’t print labels for pie chart wedges when smaller than a certain size), bug 180255 (Tabular report CSV downloads should suggest csv filename), and bug 180967 (csv reports swap rows/columns).
• Bug 181286 - Invalid html in banner.html.tmpl
• Bug 179483 - Guided template displays wrong product name sometimes.
• Bug 179582 - More informative and easier to read flag email template
• Bug 179293 - time tracking js should only appear if time tracking isenabled
• Bug 181000 - Lock the keyworddefs table for READ when using a shadowdb, too
• Bug 180978 - Adding keyword from enter_bug doesn’t update keyword cache
• Bug 179811, used & instead of &
• Bug 124589 - support database replication
• Bug 179881 - makes the “Requests” link in the footer be “My Requests” for logged in users.
• Bug 179876 - Labels the “Requestee” field to reduce confusion about its purpose.
• Bug 175579 - make templates html compliant
• Bug 179206 - enter_bug isn’t picking up version from URL
• Bug 180545 - It was possible to change the product/component of a bug without having the editbugs permission.
• Bug 179960 - QuickSearch queries are slow and timeoutfixed by adding subselect emulation for product/component lookups
• Bug 180205 - General reporting fixes.
• Bug 180151 - Grand total links are messed up when axis is restricted,
• Bug 180105 - CSV reports occasionally break,
• Bug 179671 - Boolean charts are broken on reporting pages,

• Bug 179887 - report.cgi should

  require Data::Dumper

  , not

  use

• Bug 179581 - Keyword combinations report not very useful.
• Bug 180444 - Correctly attributes request creation to person who submitted it.
• Bug 180632 - corrects reference flag->is_requesteeble to flag->type->is_requesteeble
• Last part of fix for bug 179494 - adds “use Bugzilla::Util” and removes “&::” from before “trim” per bbaetz.
• Bug 179494 - prevents Bugzilla from thinking users have changed flags when they haven’t.
• Bug 180544 - prevents display of requestee field for generally requestable fields.

2.16 & 2.14 Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the 2.14 and 2.16 branches from 11/17/2002 to 01/02/2003. This list was generated by filtering Bonsai’s output on that query (contains both branches).

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

• Versions numbers were bumped and release notes updated for both branches

Checkin manifest:

• Bug 186383 - Checksetup leaves editor backups of localconfig accessible
• Bug 183188 - collectstats.pl no longer makes data/mining world-readable
• Bug 179329 - filter quips in “show all the quips” for HTML

02. January 2003

Bugzilla 2.16.2, 2.17.3 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.3 developer snapshot. For details on the newest features and bugfixes, see the new status update.

Also released today is Bugzilla 2.16.2. 2.16.2 is the latest stable Bugzilla release, and fixes two security bugs in Bugzilla 2.16.1. Read the security advisory below for details.

• 2.16.2 Release notes
• Security Advisory
• Download page

02. January 2003

Bugzilla 2.14.5 to be the last 2.14 release

by Bugzilla Team

The Bugzilla Team has released Bugzilla 2.14.5 today to address two security issues which were recently discovered. As we’ve been warning for the last several months, we are no longer supporting the 2.14 branch as of the end of 2002, so this release marks the last for the 2.14 line. All sites who haven’t already done so are strongly encouraged to upgrade to 2.16.2 so you can continue to receive security updates.

• Release notes
• Security Advisory
• Download page

25. November 2002

Bugzilla 2.17.1 Developer Snapshot available

by Bugzilla Team

The Bugzilla 2.17.1 developer snapshot is now available on the download page.