Blog

Want to always keep up-to-date with Bugzilla news? Subscribe to announce@bugzilla.org, a read-only mailing list where we'll post announcements about new versions of Bugzilla and security advisories.

Browse Archives »

You can also see what's going on in the project by looking at the notes of, or watching the video of, our monthly developer meetings.

Loading the upcoming event

02. November 2003

Bugzilla Status Update

by Christian Reis (kiko)

Introduction

This status update covers the 6 months that have gone by since our last update. It’s been an interesting period in Bugzilla’s time, with a quite a few feature enhancements hitting the trunk and a significant number of external contributions being submitted.

To start off, we’d like to congratulate (and nudge ahead) Vlad Dascalu, Chuck Duvall and Mike Morgan who have been doing excellent work both on triage and on providing bugfixes. Independent contribution has always been the mainstay of Bugzilla development, so it’s really nice to see people volunteer the time and expertise that make this a great product. The lowest bug number fixed was bug 13540 – generalizing previously fixed terms such as “bug” – which was coaxed in by Jon Wilmoth. A number of others had first-time patches integrated, too, and we’d definitely like to see more good work from you all.

We’ve got a few security updates that have been covered in the security advisory simultaneously released. The bugs found and fixed are not critical – they are mainly leaks and minor privilege issues – but it’s always a good idea to update to the latest stable release. The bug fixes have also been applied to the development branch where relevant.

A number of interesting features have also been included (in the trunk); in particular, Gerv integrated a patch that provides partial email spam-proofing, which has always been one of the top requests on public installations. Gerv also landed an extension to Bugzilla which allows generating charts from Bugzilla-collected data. Another notable feature by the great John Keiser has been included: Patch Viewer, which is an complete (and integrated) diff-viewing tool. I’m not going to spoil the rest of the surprises, so read the sections below to find out what other goodies are in this month’s grab bag.

Note that (in tradition with previous updates, which have included a bit on this subject) Windows support (which implies being able to run a Bugzilla instance on a Windows web server) is still to be completed and integrated! We would really appreciate community assistance in fixing the remaining issues for Windows support.

We’d also like to remind all Bugzilla administrators that to assist them in keeping up-to-date with release announcements and security advisories, we provide an ultra-low-volume administrator mailing list ([email protected]). We advise all Bugzilla administrators to subscribe so they can keep up with important Bugzilla news.

New Releases

The Bugzilla Team is pleased to announce the 2.16.4 and 2.17.5 releases of Bugzilla.

  • The stable (2.16.4) release provides a number of bug fixes, including fixes for 4 security issues discovered since the 2.16.3 release. It is recommended that all production installations upgrade to 2.16.4 to make sure they get the fixes for these security bugs.
  • The development (2.17.5) release provides a large number of feature enhancements and bug fixes, including fixes for 3 security issues discovered since the 2.17.4 release. This release is a developers’ release and is not intended for production use.

We would like to remind all administrators running Bugzilla instances from the old 2.14 branch that this branch has been retired, and is no longer being supported actively by the team. We strongly recommend upgrading to the latest stable version to ensure security and proper operation.

New Features (on the Trunk)

A number of interesting new features are available for testing on our latest development release. The following items describe the most important of them, and the manifests towards the end of this document describe the full list of changes committed.

  • Patch Viewer: Viewing and reviewing patches in Bugzilla is often difficult due to lack of context, improper format and the inherent readability issues that raw patches present. Patch Viewer is an enhancement to Bugzilla designed to fix that by offering increased context, linking to sections, and integrating with Bonsai, LXR and CVS. (174942, 215268)
  • Term Customization: Formerly, the terms “bug” and “Bugzilla” were hard-coded into many places in the templates, which made localizing a Bugzilla instance to an organization’s terminology quite difficult. This change allows this localization to be done in a single template file; the localized terms are used in all subsequent templates. (13540)
  • Comment Reply Links: In Edit Bug, each bug comment now includes a convenient (reply) link that quotes the comment text into the textarea. This feature is only enabled in Javascript-capable browsers, but causes no inconvenience to other user agents. (207754)
  • Full-Text Search: It is now possible to query the Bugzilla database using full-text searching, which spans comments and summaries, and which searches for substrings and stem variations of the search term. (145588)
  • Email Address Munging: The fact that raw email addresses are displayed in Bugzilla makes it trivial for bots that spamharvest to spider through Bugzilla, in particular, through Bugzilla’s buglists. This change allows obscuring email addresses as they appear in the Bugzilla web pages. (120030, 219216)
  • Generic Charting: Bugzilla’s new charting feature allows you to display flexible summary charts, based on configurable data sets. (16009)

A couple of other features were checked into the trunk, notably prefilling of the default component owner when entering a new bug, a bug alias column in the buglist page, and a “view as buglist” link for the sanity check page.

A note to users upgrading to version 2.17.5: Bug 201816 changed header output to use CGI.pm, in a step towards enabling mod_perl compatibility. This change will affect users that had customized charsets in their CGI files: previously the charset had to be added everyplace that printed the Content-Type header; now it only needs changing in one spot, in Bugzilla/CGI.pm. Alternatively, Apache’s AddDefaultCharset directive can be used.

The Road to 2.18

An update from Dave Miller, Bugzilla project leader

Bugzilla 2.16 was released on July 29, 2002. It’s been just over 15 months since then, and we still don’t have a Bugzilla 2.18. What’s the deal? This is what I get asked quite frequently these days. I’m hoping to answer that question here.

The usual way stable Bugzilla releases get planned is that we decide on a feature set that we want to have available in the next version, and then development plugs away until those features are completed. Shortly after version 2.16 came out, several of us sat down and hashed out a list of things that we thought would fit in that list for version 2.18. In hindsight, the list that we came up with turned out to be a bit much to handle. It didn’t look so bad at the time, and in fact I don’t think we “overbooked” ourselves, not if everyone’s lives had continued as they had been at that time.

What ended up happening is that a large percentage of the core contributors wound up having job changes that eliminated much of the time they used to spend on Bugzilla. We went several months with very little development actually happening. With the lack of available developers in mind, and a desire to get 2.18 out the door as soon as we could and still be able to call it “stable” in good conscience, the list of goals for version 2.18 was revisited, and significantly pared down.

We now have 2 remaining goals that have yet to be completed for version 2.18.

  • Full templatization of the Administrative interfaces (the edit*.cgi files)
  • Out-of-the-box Win32 compatibility

Many of the other items that had been on the list (such as support for PostgreSQL and Sybase, and admin-definable customized fields) will still be taken if they get completed by then, but will no longer hold up the release if they aren’t completed.

Things are getting better! The “dire situation” I painted above seems to be abating. As Christian pointed out in his introduction above, we have several new folks contributing on a regular basis. Also, my second-in-command, Myk Melez, is now employed by the Mozilla Foundation as of last month, with continued development of the entire Mozilla Webtools Suite (which includes Bugzilla) now being his primary job responsibility. In short, the future of Bugzilla once again looks very bright!

Upcoming Features

This section lists major new features that are planned for the next releases. If you would like to help out – many of these features need either planning, coding, or testing – or just figure what the current status is on one of these items, check out the parenthesized bug links.

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Sybase support. (Bug 173130)
  • Ability to add generic customized fields to bugs. (Bug 91037)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system. (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Wiki integration. (Bug 102685)

Apart from work on Bugzilla itself, Mike Morgan has started work on redesigning the Bugzilla website to a standards-compliant version that matches mozilla.org’s new look-and-feel. This is already underway, and we should be seeing a beta site up shortly.

Trunk Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the trunk from 2003/04/25 to 2003/11/02. This list was generated by filtering Bonsai’s output on that query.

Checkins that don’t refer to a specific bug number have been omitted, and were a significant minority. Bold italic bugs are security-sensitive bugs.

Checkin manifest:

  • Bug 209742 - describecomponents.cgi displays products for which the user can’t enter bugs
  • Bug 219044 - MySQL injection vulnerability in editkeywords.cgi
  • Bug 209376 - Can access summary for secure bug if its been voted on.
  • Bug 210735 - collectstats.pl broken. Removes “uninitialised value” warning.
  • Bug 224397 - Mismatch of user error: insufficient_privs vs insufficient_perms;
  • Bug 123565 - Add to FAQ: Why can’t I close bugs from “Change Several Bugs at Once” ?
  • Bug 190611 - Query page crashes if any product has no versions defined
  • Bug 220724 - Provide standalone bug submission program. Includes a python script that submits bugs to a specified Bugzilla instance.
  • Bug 216707 - Add user documentation for Patch Viewer
  • Bug 224218 - Fix wrong version in administration.xml
  • Bug 216703 - Need PatchReader note in install docs
  • Bug 217219 - Messages in votes errors are incorrectly CHOMP’d
  • Bug 223937 - web site error while updating email address
  • Bug 47925 - describe MOVED resolution in bug_status.html
  • Bug 67663 - globals.pl and CGI.pl emit “subroutine redefined” messages.
  • Bug 221039 - Separating knob in edit.html.tmpl.
  • Bug 111522 - Provide ability to specify MIME type of attachment when downloading.
  • Bug 223854 - masscc on change several bugs doesn’t honor usermatchmode
  • Bug 222204 - A mailto: link for the reporter would be very useful
  • Bug 221900 - duplicates.cgi query fails if more than one product selected
  • Bug 223093 - correcting the title on “perldoc Bugzilla::Auth::DB”
  • Bug 201294 - showdependencygraph.cgi now uses the global IsOpenedState() sub instead of its own list of which states are open.
  • Bug 218386 - add ‘view-source:’ to the link of URL protocols which automatically get hyperlinked in comments.
  • Bug 208647 - Fixes taint error in add new products code.
  • Bug 183788 - make request mail go out when a request is created and there’s no requestee but there is a cc: list
  • Bug 178624 - checksetup.pl needs to be run after copying templates to the custom directory.
  • Bug 215051 - Document the language auto-chooser.
  • Bug 218977 - “Table ‘namedqueries’ was not locked with LOCK TABLES” on ThrowUserError(‘product_edit_denied’).
  • Bug 221977 - Insecure dependency in require while running with -T switch at Bugzilla/Auth.pm
  • Bug 108528 - knob is not a defined error message and it does not help a user find the error
  • Bug 222566 - Fixing wording on enter_bug.cgi when using the create-guided template
  • Bug 108528 - knob is not defined doesn’t explain to 2001110503 users what to do
  • Bug 220034 - empty form after changing bug details
  • Bug 221391 - Bugzilla Quickstart guide could exist. Provide a QUICKSTART file, and alter README slightly to point to it.
  • Bug 219724 - typo in URL in section 4.2.5 of the guide.
  • Bug 213384 - shutdownhtml login bypass via editparams.cgi is broken under suexec.
  • Bug 220183 - post_bug.cgi could allow setting the status_whiteboard attribute. Added “status_whiteboard” to parsed attribute list.
  • Bug 221264 - Making no changes shouldn’t affect Last modified
  • Bug 219086 - use method=”post” on the “My Votes” page to submit changes to votes
  • Bug 65316 - Typos on edit*.cgi. Change use of PutTrailer() (and the default output, in certain cases) in the edit pages.
  • Bug 76157 - Give proper error message on non-numeric sortkey when editing milestones.
  • Bug 219659 - Misleading wording describing severity “blocker” on Bugzilla Helper form.
  • Bug 152748 - Make lack of sidebar support suggest Mozilla instead of Netscape as an upgrade.
  • Bug 177449 - When changing email address, old email address confirmation was case sensitive
  • Bug 129315 - incorrect column definition for bugs.delta_ts; adds ‘not null’ constraint
  • Bug 219216 - Javascript improperly using FILTER html instead of FILTER js causing data with @ produced by javascript to show up as &#64.
  • Bug 218569 - Clean up reporting UI.
  • Bug 219170 - single letter s missing on https://bugzilla.mozilla.org/bug_status.html
  • Bug 180257 - incorrect padding around words on “cancel email address change” page
  • Bug 208699 - Move Throw{Code,Template}Error into Error.pm.
  • Bug 120030 - Bugzilla bug lists are a spammer’s paradise.
  • Bug 215918 - All graphs that show numeric value on x-axis are useless and misleading. We now sort numerical fields numerically.
  • Bug 169354 - add “Windows Server 2003” - OS
  • Bug 217632 - Remove @@@ comment from message.html.tmpl.
  • Bug 218523 - undefined warning in query.cgi.
  • Bug 218515 - fix tree bustage from bug 207044.
  • Bug 207044 - Filter more template directives. None of these are security bugs, but they need fixing anyway.
  • Bug 145588 - adds full-text search option for more accurate finding of individual bugs via words that appear in their descriptions/comments/summaries.
  • Bug 215729 - “Column ‘value’ cannot be null” trying to upgrade chart data.
  • Bug 217422 - “0” was missing in “votes: 0” (MySQL 4 compatibility)
  • Bug 165366 - When editparams is used to shutdown Bugzilla, provide a link back to editparams
  • Bug 65383 - Clean up milestone prefs - currmilestone and nummilestones are obsolete
  • Bug 190040 - sanitycheck now has “view as buglist” links after lists of bugs as well as all listed bugs linked
  • Bug 217242 - CheckIfVotedConfirmed tripped Table ‘fielddefs’ was not locked with LOCK TABLES [for statement ``SELECT fieldid FROM fielddefs WHERE name = ‘bug_status’’’]
  • Bug 207754 - It should be possible to produce a quoted reply to a comment. Adds a reply link that uses JS to paste in a quoted comment into the comment textarea.
  • Bug 199502 - It’s possible to take down Bugzilla by changing the languages param
  • Bug 213577 - New reporting imports old series with wrong status query.
  • Bug 217485 - displays query in the “please wait” server push page if the “debug” parameter is set in the URL.
  • Bug 217256 - “No Interdiff Notification message has two run on words.” Patch adds newlines where they are needed.
  • Bug 217029 - creates appropriate date string if string is empty now that Date::Parse 2.27 doesn’t do it for us auto-magically.
  • Bug 217103 - page.cgi passes the correct pathname prefix in the correct place, so it actually works now.
  • Bug 160422 - If data/versioncache is not readable, pretend it’s expired and rebuild it.
  • Bug 192385 - Bug ID wordwrapped in change-several-bugs page if window was narrow
  • Bugs 171127 and 192512 - bug_email.pl was still using the old groups system and also the old outgoing mail system. This patch brings it up to date.
  • Bug 139011 - Improve buglist colors further.
  • bug 215268 - Check for PatchReader as a part of the installation and disable the “Diff” links if it is not there.
  • Bug 216019 - Change various sentences in BugMail.pm
  • Bug 215962 - Missing {} around implied hash reference in params to ThrowUserError.
  • Bug 204560 - display alias in long listing.
  • Bug 212095 - checksetup.pl gets confused by newer DBD::mysql quoting of table values.
  • Bug 120030 - adds template filter for obscuring email addresses.
  • Bug 214558 - Don’t spew “which: program not found” errors all the time
  • Bug 174942 - Patch Viewer, a pretty way of viewing and manipulating patches. Requires PatchIterator to be installed, classes uploaded to that bug and will be soon in CPAN.
  • Bug 153583 - Links to obsoleted attachment should use line-through style
  • Bug 211435 - Fix “Table ‘namedqueries’ was not locked with LOCK TABLES” error.
  • Bug 206558 - What happened when multiple items were selected on a multi-select box wasn’t clear.
  • Bug 183898 - checksetup.pl doesn’t accepts admin passwords with dots.
  • Bug 213079 - When severity or priority are hidden, CSS class names are incomplete in buglist.
  • Bug 98147 - disables “View All Attachments” link if there are no attachments to view.
  • Bug 178935 - Eliminating the “Add another user” link on the confirmation screen after editing a user if the user doing the editing doesn’t have permission to add users.
  • Bug 213085 - importxml.pl tries to convert qa_contact from a name to an ID when it’s already an ID
  • Bug 147480 - Lack of newlines when asking for password in checksetup.pl.
  • Bug 82172 - Don’t allow empty bug summaries.
  • Bug 95759 - localconfig.js contains strings of equals signs (===).
  • Bug 207206 - doeditparams.cgi XHTML compatibility.
  • Bug 122365 - Allow installation definable LDAP filters.
  • Bug 204798 - Total in graph report is incorrect.
  • Bug 203444 - Add request for about:buildconfig to Bugzilla Helper.
  • Bug 212361 - Additional Comments date had month and day swapped in bug change emails
  • Bug 185066 - The OS “BSDI” should be “BSD/OS”… Patch changes the default in localconfig; admins will have to change existing installations manually.
  • Bug 107580 - Add space to front of “New:” designator on bugmail so it will always sort before changed mails in an alphabetical subject listing in user mailboxes.
  • Bug 211758 - checksetup.pl was trying to use params that didn’t exist yet because it was loading Bugzilla::Series at compile time (use). Now pulls in Bugzilla::Series at runtime (require) after initializing the params.
  • Bug 13540 - allow key terms, like “Bugzilla” and “bug”, to be altered without changing all the templates.
  • Bug 194347 - Updating MacOS X hints to specify that the GD patch is no longer required (when using the gd2 package) and also recommend using fink to install expat.
  • Bug 211126 - As a part of fixing bug 180642 the directions for using LDAP authentication has changed.
  • Bug 211127 - use proper path to Perl.
  • Bug 201955 - The method for specifying a charset has changed now that we use CGI.pm for header output (bug 201816).
  • Bug 206498 - Add a warning that Bugzilla upgrades are irreversible and that backups should be made.
  • Bug 210248 - Missing “my” in SMTP code for win32 instructions.
  • Bug 193575 - Internal server error from votes.cgi.
  • Bug 16009 - generic charting.
  • Bug 204631 - enhances config.cgi to generate a list of queryable fields so third-party clients can populate search forms with the list.
  • Bug 210324 - s/->err/->error/.
  • Bug 77192 - MOVED is not handled properly on queryhelp.cgi.
  • Bug 207096 - minor spelling fixes for Bugzilla/Search.pm
  • Bug 208620 - Fix return value of Bugzilla->login when user already exists.
  • Bug 208583 - Remove PerformSubsts from templates.
  • Bug 205463 - Tokens aren’t canceled after a successful login.
  • Bug 180635 - Enhance Bugzilla::User to store additional information
  • Bug 207085 - Updating a stored query shouldn’t return the same message as creating one
  • Bug 37749 - query for changes to specific field in last n days not working. Rearrange time-based query UI to be more sane.
  • Bug 84876 - Mentioned the wrong bug number, also making it a link.
  • Bug 145965 - Mention the sendmail -> SMTP change for Bugzilla on win32
  • Bug 199129 - Replace installation list w/a link to the installation list on the web page
  • Bug 191034 - Making the installation chapter a little more generic. Replaced a lot of OS Specific hints with links to the OS Specific section.
  • Bug 204724 - ExcludeSelf doesn’t work with an email containing capital letters.
  • Bug 195977 - Add ability to show alias column in buglist
  • Bug 203314 - Clean up 's, links to bugs and extra spaces in sentences.
  • Bug 204592 - invalid column name error.
  • Bug 204964 - Make attachment view work again.
  • Bug 190864 - Fix ordering of ‘ and > that I thought I had done earlier.
  • Bug 203867 - Add regular expression references to glossary.
  • Bug 201816 - use CGI.pm for header output
  • Bug 204104 - internal error in Search.pm when searching for invalid keywords/email.
  • Bug 204008 - checksetup.pl didn’t set permissions on the js directory
  • Bug 72837 - a script that generates configuration information for a Bugzilla installation.
  • Bug 200198 - user-error.html.tmpl’s use [% changedsince %] instead of $changedsince
  • Bug 195607 - Minimum width code gets it wrong.
  • Bug 197171 - report.cgi: Use of uninitialized value in numeric lt.
  • Bug 180086 - Rename ‘count’ column in votes tables.
  • Bug 203540 - RenameField doesn’t get NULL/NOT NULL correct.
  • Bug 202463 - prefill ‘assign to’ with default component owner.
  • Bug 203080 - New version of LDAP to Bugzilla account sync script.
  • Bug 203318 - 008filter.t fails to do chdir $topdir - if @Support::Templates::include_paths returns more than one path
  • Bug 203160 - mod_throttle has a new URL.

Stable (2.16) Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date as rendered by Bonsai. It includes checkins on the branch from 2003/04/25 to 2003/10/30. This list was generated by filtering Bonsai’s output on that query (with some manual adjustments).

Very few checkins were made without reference to any specific bugs, mainly test bustage fixes and documentation updates. Bold italic bugs are security-sensitive bugs.

Checkin manifest:

  • Bug 219690 - When deleting products and usebuggroups is set, blessgroupset is not updated
  • Bug 219044 - MySQL injection vulnerability in editkeywords.cgi
  • Bug 209376 - Can access summary for secure bug if its been voted on.
  • Bug 214290 - collectstats.pl does not add 's to SQL queries for quotes”.
  • Bug 123565 - Add to FAQ: Why can’t I close bugs from “Change Several Bugs at Once” ?
  • Bug 223937 - web site error while updating email address
  • Bug 178624 - checksetup.pl needs to be run after copying a template to the custom directory.
  • Bug 220332 - Insecure dependency in exec while running with -T switch at process_bug.cgi line 1267
  • Bug 221626 - Fix for Mozilla-specific report template.
  • Bug 219724 - typo in URL in section 4.2.5 of the guide.
  • Bug 213384 - shutdownhtml login bypass via editparams.cgi is broken under suexec.
  • Bug 219508 - processmail rescanall would not send e-mails about more than one bug to the same address
  • Bug 217422 - “0” is missing in “votes: 0” (MySQL 4 Compatibility)
  • Bug 160422 - If versioncache isn’t readable, pretend it doesn’t exist and recreate it. This tends to happen after cron jobs run as a user other than the webserver.
  • Bug 177828 - Fixes taint warning from post_bug with perl 5.8
  • Bug 212095 - DBD::mysql versions after 2.1026 return the table list quoted, which broke the existing “table exists” check.
  • Bug 146087 - ‘sendmailnow’ should be on by default.
  • Bug 190864 - Fix the ordering of the ‘ and >.
  • Bug 203318 - 008filter.t fails to do chdir $topdir - if @Support::Templates::include_paths returns more than one path
  • Bug 203160 - mod_throttle has a new URL

Conclusion and Credits

Well, that’s it for this status update. We’d like to thank everybody who submitted a patch, helpful comment or bug to Bugzilla – it’s very much appreciated, even when everybody’s too busy to stop and say “great work”; we always mean it! Let’s work together to make 2.18 the killer release we all want it to be.

[Christian: I should also really mention Paul Reed, who (apart from preparing many of our previous status updates) provided the bug manifests for this one – no, actually, I stole them!]

02. November 2003

Bugzilla 2.16.4, 2.17.5 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.5 developer snapshot. For details on the newest features and bugfixes, see the new status update. The 2.17.5 snapshot also contains multiple security fixes.

Also released today is Bugzilla 2.16.4. Version 2.16.4 is the latest stable Bugzilla release, and fixes multiple security bugs in Bugzilla 2.16.3. Read the security advisory below for details.

01. October 2003

Korean Localization Available

by Bugzilla Team

The download page has been updated with a Korean localization for Bugzilla 2.16.3.

14. September 2003

New Localizations Available

by Bugzilla Team

The download page has been updated with additional localizations of Bugzilla.

New Languages:

  • Belarusian (2.16.3)
  • French (2.16.2)

Updated versions:

  • Chinese (2.17.4)

Many thanks to the localizers for taking on this thankless job!

24. April 2003

Bugzilla Status Update

by J. Paul Reed (preed)

Introduction

The Bugzilla Team is pleased to announce the release of Bugzilla 2.16.3, a maintenance release, and 2.17.4, a new developers’ release.

2.16.3 continues the Bugzilla Team’s support of the stable Bugzilla branch, fixing a couple of important security vulnerabilities and other bugs for 2.16 Bugzilla users.

2.17.4 continues our march toward 2.18, offering new features for developers to play with and refine, and new toys for users who like living on the edge, even though many organizations–mozilla.org included–are using the 2.17 developers’ branch without incident.

Users on both branches should upgrade to today’s releases. Both contains fixes for multiple cross-site scripting issues and an insecure temporary filename vulnerability. For specifics, see the Bugzilla security advisory on these vulnerabilities.

2.14.x users may be affected by at least one of these security vulnerabilities (bug 197153), and are encouraged to upgrade. The Bugzilla Team has officially stopped supporting the 2.14 branch. Also, the 2.16/2.17 branches have lots of cool new goodies on them!

If you’re wondering about the Win32 situation, it has improved slightly on the 2.17-branch, but “out of the box” Win32 support, on either branch, is still, unfortunately, unchanged. However, the Bugzilla Team is currently discussing the status of “out of box Win32 support” in 2.18 and it is likely to remain a release goal.

The Road to 2.18

The Bugzilla team has started reviewing goals for the 2.18 release. This includes deciding what’s important to keep on the list and what might get pushed off.

As far as timing goes, the Bugzilla Team is not going to set a date; doing so has bit the project too many times in the past. The answer to “when is 2.18 coming out?” will continue to be “When it’s done.” However, the Team understands the need to do it sooner rather than later, so post-release, we’ll be focusing on reducing the list of 2.18 goals. If we can pare this down appropriately, 2.17.5 may be the last developer release prior to the 2.18 release candidates. That may or may not be realistic, but it’s a seemingly sensible plan to work from.

The Bugzilla roadmap contains a number of 2.18 goals. If you don’t see a feature or fix you feel is necessary for 2.18 on that list, now is the time to make your case to the module owners. Also, be looking for bugs you’re interested in to be retargetted in the next few days. If you’re significantly concerned about this process, considering joining the Bugzilla developers’ mailing list.

A good initial summary of the Team’s current thinking on goals can be read in this developers@ thread.

Upcoming Major Features

The following is a list of major new features the Bugzilla Team is currently working on. You can find more information, including implementation/design discussions, proposed landing dates, and status in the bug reports below. These are also features that the Bugzilla Team would appreciate help on, so if one of the features below interests you, feel free to jump into the fray!

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Sybase support. (Bug 173130)
  • Ability to add generic customized fields to bugs (Bug 91037)
  • Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Generic charting. Allows users to define arbitrary data sets for which historical data will be recorded, and then plot those data sets. (Bug 16009)

New Bugzilla Features

</a>

In-core processmail

Bug 124174, processmail as a package, has finally landed. This bug moves bug mail handling (mail from bug submissions/changes) from the venerable external processmail script, the source of much porting pain and some security issues, into a new module Bugzilla::BugMail.

This change moves the actual sending of mail into the same Bugzilla core process handling web requests. This change will make Win32 porting easier and has significantly sped up bug mail handling (Bug 178153) for large bug changes. The checkin also cleans up the mail sub-system interface and backend, meeting–along with Win32 support–a number of 2.18 goals.

Authentication module/LDAP improvements

As part of the ongoing preparation for mod_perl, Bugzilla’s authentication mechanisms have been modularized, making pluggable authentication schemes for Bugzilla a reality. Both the existing database and LDAP systems were ported as part of modularization process. Additionally, the CGI portion of the backend was redesigned to allow for authentication from other sources, including (theoretically) email, which will help Bug 94850.

As part of this conversion, LDAP logins now use Perl’s standard Net::LDAP module, which has no external library dependencies. This is a departure from using the Mozilla::LDAP modules, which relied on the Netscape LDAP SDK.

Bugzilla mod_perl support

Work continues on updating Bugzilla to support mod_perl, a performance and modularization win. In addition to the authentication module re-org, patches are pending (not included in 2.17.4) to move Bugzilla user handling into a module. With these and other patches, show_bug.cgi (and other minor pages) now support mod_perl, but have not been extensively tested, and are mostly a proof-of-concept at this point.

Initial testing is very encouraging; some very raw performance data suggests that for a simple bug with 5 comments, load times decrease from 0.6 seconds to 0.15 seconds on an unloaded P4-2.4GHz machine.

Despite this, mod_perl support is not yet ready for prime time. Lots of the work is very ‘hacked together’, and the patches only support mod_perl installations, to the detriment of normal CGI/Bugzilla installations. This will, of course, be fixed before checkin.

The major factor inhibiting mod_perl support is the lack of development time and the lack of time for other Bugzilla developers to review patches. If you’re interested in helping Bugzilla increase performance with mod_perl, check out bug 87406.

JS versions of buglists

Buglists are now available as JavaScript structures in addition to HTML and RDF. This allows features like the “update buglinks” bookmarklet, which will update the state of all the buglinks in a page to have the correct status and tooltip.

Perl on the “move” from /usr/bonsaitools/bin to /usr/bin

One of the most common support requests was what this “bonsaitools” directory was all about, and how could the Perl location Bugzilla expects be changed from that to the more standard /usr/bin. This request was never fulfilled because Bugzilla’s primary installation, bugzilla.mozilla.org, needed to have Perl installed in a location other than /usr/bin and a longstanding rule for Bugzilla development has been “don’t break mozilla.org.”

Because of server changes at mozilla.org, a bonsaitools was no longer required for them. After a quick message to the Bugzilla newsgroups and mailing lists asking if anybody else relied on this path, it was determined that finally getting this change checked in wouldn’t affect many people, so the oft-requested feature was finally completed.

More information can be found in bug 196433.

Doc changes

Matthew Barnson, the original author of much of the Bugzilla Guide, has recently been swamped by life. Jacob Steenhagen was gracious (and foolish) enough to volunteer to take over. In an attempt to “sync up” the documentation, Jake has been focusing on backporting relevant changes to the documentation to the 2.16 branch. Many items in the guide have received love, but the most notable ones include:

  • Section 4.3 - OS Specific Installation (New in Devel) - Moved a lot of stuff that is specific to the OS (or distribution) out into a special section. The next step is to make the installation instructions more generic as there are still some OS specific hints, etc.
  • Section 4.4 - HTTP Server Configuration (New in Devel) - Moved some information that is specific to the web server being used into its own section. I currently have varying amount of information for Apache, IIS, and AOL Server.
  • Section 5.5 - Group Security (Devel) - Because the tip has a new security model the docs needed updating for the tip.
  • Section 5.6 - Bugzilla Security (2.16 and Devel) - This section has been cleaned up considerably. It also now contains information that used to be scattered about in different sections.
  • Section 5.8 - Upgrading (2.16 and Devel) - Add a lot of information about upgrading along with specific instructions and examples for 3 different ways to get the latest code.
  • Many Misc. FAQ Updates (2.16 and Devel)
  • Finally moved everything to the xml/ directory. For quite some time now, the documentation has been using the DocBook 4.1.2 XML doctype but still residing in a directory named sgml/ and having file names ending in the .sgml extension. The master documentation files now live in the xml/ directory and have .xml extensions.

Please join the Bugzilla team in welcoming Jake back! Documentation is often the most overlooked and under-appreciated task of any open source project, so if you see Jake on IRC, be sure to thank him!

Improved localization support

With the landing of Bug 126955, support for localized Bugzilla templates has improved tremendously. Bugzilla administrators can now configure which languages are supported by their installations and automatically serve correct, localized content to users based on the Accept Language header sent from users’ browsers, providing the appropriate language for a user with minimal configuration on their part.

There are currently localized templates available for Chinese, German, Spanish (Spain or Mexico) and Russian. These localized template packs are third-party contributions, may only be available for specific versions of 2.16 or 2.17, and may not be supported in the future.)

Trunk Checkins Since the Last Status Update

</a>

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the trunk from 01/02/2003 to 04/24/2003. This list was generated by filtering Bonsai’s output on that query.

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

  • Versions numbers were bumped and release notes updated
  • (1/4/03, 2/19/03, 4/1/03, 4/22/03) Documentation updates (Jake)
  • (2/16/03) Allow runtests.pl to let you specify a test number to run (justdave)
  • (1/12/03) XUL Chrome should use content over _content (in sidebar.cgi). (caillon)

Checkin manifest:

  • Bug 179510 - Fix to take group restrictions into account when sending request notifications
  • Bug 172331 - importxml.pl warnings under perl 5.8
  • Bug 179513 - take N. Fix the bracketing so that it actually works…
  • Bug 201018 - editusers.cgi never calls DeriveGroup prior to changing a bug
  • Bug 197153 - Add wording schange requested by reviewer which wasn’t in the patch on the bug, and so wasn’t checked in.
  • Bug 193965 - On product change, user can accidentally opt-out of required group restriction
  • Bug 197153 - Fix for insecure temporary filename handling.
  • Bug 192661 - Dependency graphs were printing bug summaries without HTML filtering.
  • Bug 192677 - Add new test to flag failure-to-filter situations in the templates, and correct the XSS holes that were discovered as a result of it.
  • Bug 198458 - Added LDAP Sync script contributed by [email protected] (Thomas Stromberg) to the contrib directory.
  • Bug 202744 - Removing unnecessary output from collectstats.pl cron job
  • Per bug 200472 - Changing the version information for Date::Parse (any) to instead specify Date::Format (2.21).
  • Fix typo in previous checking for bug 200472 - Date::Format should be version 2.21.
  • Bug 200472 - Require specific version of Date::Format to ensure we don’t run into a bug in an older version that we’re triggering.
  • bug 202534 - Login with unrestricted IP address fails - tries to access missing get_netaddr
  • Bug 71790 - Duplicate resolution field should include bug number of original
  • Bug 199012 - Default (and b.m.o.) bug email should have “change prefs” line.
  • Fix for bug 200961 - unhorks display of bug ID in RDF version of bug list.
  • Bug 200072 - Creating new users from LDAP at authentication time is broken
  • Bug 190589 - sidebar.cgi should link to report.cgi instead of reports.cgi for consistency
  • Bug 199813 - Make all users of ThrowUserError pass $vars in explicitly.
  • Bug 195424 - Add a note about new MySQL permissions needed for Bugzilla in MySQL 4.
  • Bug 194541 - Dot is a binary executable, not a perl script so we don’t need to prefix the system call with the perl binary. There are no more system calls of perl scripts in Bugzilla, so this section can go away.
  • Bug 171674 - Adding a section to the Troubleshooting section describing how to fix the File::Temp problems in perl 5.6.0.
  • Bug 195530 - Make javascript version of buglists available.
  • Bug 80157 - Add “regenerate” option to collectstats.pl.
  • Bug 192121 - Javascript error in guided bug entry.
  • Bug 197689 Missing Query - The query named $name seems to no longer exist.
  • Bug 65319 editmilestones & editversions don’t have extra add.
  • Bug 196433 - Bugzilla now uses /usr/bin/perl as the shebang line
  • Bug 195621 - Back out taint-related changes from bug 160710.
  • Bug 190892 - Radio button for “run this query” looks silly if it’s the only choice. Make it a hidden input if it’s the only one.
  • Bug 180642 - Move authentication code into a module
  • Bug 195695 - Requesting a non-existent format results in an Internal Error
  • Bug 197180 - Long comment names not flagged as an error
  • Bug 193989 - EmailSuffix wasn’t getting used for password change tokens. Also removes real name from To: header which wasn’t being escaped properly for RFC2822 specs.
  • Bug 194917 - Javascript missing HTML comments in flag list.
  • Bug 190848 - Adding a new product results in a software error.
  • Fix for bug 191051 - make substring searches actually do substring instead of anyexact.
  • Bug 196101 - use ANSI-compliant SQL for group checks in sanitycheck
  • Bug 194345 - checksetup.pl would die if you had your params set for a local dot, and the executable didn’t exist. The polite error message it was supposed to print works now.
  • Bug 196420 - jsmagic for add/and/or in boolean charts isn’t working
  • Bug 156436 IBM Web Browser is unrecognizedpatch by [email protected]
  • 180692 - enter_bug shows keywords option even if keywords are disabledFix broken tree.
  • Bug 180692 - enter_bug shows keywords option even if keywords are disabled
  • Bug 195137 - Keywords are not sent in new bug mail
  • Bug 194744 - fix dead link to confirmhelp.html.
  • Bug 183017 - Only numbers displayed when bar chart contains too many products.
  • Bug 194394 - Internal error after turning useqacontact off
  • Bug 186689 - Should be able to set all/clear all email options in user preferences with one click.
  • Bug 194426 - “usequips” was renamed improperly in the backward-compatibility Param code.
  • Bug 194172 - move.pl was sending empty bugs because of failure to initialize the field list for the new “XML Summary” mode.
  • Bug 193985 - errors from SendSQL aren’t being reported
  • Bug 135820 - token cancellation message are not user-friendly
  • Bug 193511 - post_bug page has two headers.
  • Bug 186994 - Unable to accept a new bug that has been assigned.
  • Bug 191537 - Improvements to the security section.
  • Bug 192877 - State changes on bugs w/ dependencies cause “Use of uninitialized values” in BugMail.pm;
  • Bug 193286 - Field validation errors had the wrong page title
  • Bug 192531 - Bugzilla not properly closing DB statement handles. Change code to work arround a perl < 5.8 leak when localising the tiedstatement attributes. Also, clear the sql statestack compat stuff so thatthe handles are really dead by the time we disconnect
  • Bug 177997 - Update the AOL Server section with the new configuration information.
  • Bug 192511 - Removing all occurances of ‘processmail’ from the documentation now that bug 124174 is FIXED.
  • Bug 192874 - checksetup.pl wasn’t silencing the GraphViz check when running in silent mode.
  • Bug 58020 - include bug summaries in whinemail.
  • Bug 192513 - importxml.pl and move.pl now use the new mail routines introduced in bug 124174 (they got broken when processmail was removed). Also fixes several comments referring to processmail (which no longer exists) in other files, and removes references to processmail from the .htaccess files and the executable file list in checksetup.pl.
  • Partial fix for bug 192513 (processmail cleanup). Patch fixes test filesto disregard processmail since it no longer exists (it was special-casedbefore).
  • Bug 124174 - make processmail a package (Bugzilla::BugMail),
  • Bug 192393 - $::dbwritesallowed never set
  • Bug 192340 - ‘unknown_keyword’ error doesn’t mention keyword
  • Bug 192182 - editflagtypes uses ^ instead of **
  • Bug 191020 - back out bits of generic charting checked in by mistake. Apologies.
  • Bug 191020 - buglist.cgi doesn’t always get query names right for filename to save.
  • Bug 191863 - Clean up Bugzilla.pm
  • This checkin contains two fixes:* Bug 191971 - The guide incorrectly stated that you could resolve a bug via email* Provide an example of a glossary term in the document conventions section
  • Bug 172434 - add link to latest nightly.
  • bug 191087 - process_bug.cgi: “Mid-air collision!” title when not allowed to change a field
  • Bug 191085 - Fix FetchSQLData compat code.
  • Bug 191034 - step 1 - Refactoring the installation chapter to provide sections for OS Specific notes and configuration help on multiple web servers. Also added some terms to the glossary.
  • Bug 191080 - fix SQLQuote return value for an undef input
  • bug 190999 - Quips.cgi editing doesn’t show quips author – s/FetchSQLData/FetchOneColumn/
  • Spell servlet correctly. Also, Scarab is now at Version 1.0 Beta 13 - as long as I’m updating…
  • Bug 190582 - quips table initial definition in checksetup.pl missing approved column
  • Bug 190521 - If the attachment didn’t have a Content-Description: header in the e-mail, it ended up not having a description in Bugzilla leaving nothing to click on in the Attachment table on the bug form.
  • Bug 190437 - showdependencytree.cgi and showdependencygraph should use switch_to_shadow_db
  • Bug 106918 - the “movers” param was not being interpreted correctly by move.pl or the show_bug template. Also the exporter value was not properly fed into the xml template.
  • Bug 126955 - Bugzilla should support translated/localized templates.
  • Bug 190197 AnyEntryGroups() is broken in globals.pl; call from enter_bug.cgi breaks bug enteringpatch by [email protected]
  • Bug 188712 Apple’s Browser Safari does not support server-pushpatch by [email protected]
  • Bug 189446 - Can’t change product of a bug
  • Bug 188161 - assignee/qa missing change knobs.
  • Bug 189790 voting info not displayed when editing/viewing a bugpatch by [email protected]
  • Fix for bug 184909 - show status whiteboard on bug lists when the user requests it.
  • Bug 105692 - Script to compile all docs directories.
  • Bug 136603 - show_bug.cgi’s XML retrieval needs a summary mode.
  • Bug 184309 - Adds an optional disabled state to quips, which allows quips to be moderated if the admin so chooses.
  • Bug 148093 - editmilestones.cgi shows ‘xyzzy’ as product bug count.
  • Bumping minimum versions for DBI and DBD::mysql to match what was just checked in for bug 163290.
  • Bug 163290 - move DB handling code into a module
  • Bug 156169 - Bug number styling issues in attachment viewer/editor.
  • Bug 187566 - Making the upgrading section much clearer and presenting multiple possible methods (CVS, tarball, patch).
  • Bug 153874 - Query in sidebar wasn’t working
  • Bug 188656 Change required mysqld minimum to 3.23.41
  • Fix for bug 166481 (“Spellcheck is borked”). Part one of this fix fixes the spelling errors so tinderbox doesn’t barf, part two fixes t/006spellcheck.t and adds some more new words to check for.
  • Bug 142104 - Enhancements in buglists should be gray.
  • Bug 179328 - Mozilla-specific wording in duplicates.cgi explanation text.
  • Bug 187869 long_list.cgi output includes <font =”+3”> before each bug summary
  • Bug 186920 - Loosen checking for Windows ME user-agents.
  • Bug 181047 - Change non-output templates to have a ctype of “none”.
  • Bug 187837 - Unify showing and editing of quips.

2.16 Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the 2.16 branch from 01/02/2003 to 04/24/2003. This list was generated by filtering Bonsai’s output on that query.

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

  • Versions numbers were bumped and release notes updated
  • A bunch of highly useful documentation updates (Jake)
  • Allow runtests.pl to let you specify a test number to run (justdave)
  • Update template tests to also catch localized template versions during testing (justdave)

Checkin manifest:

  • Bug 172331 - importxml.pl warnings under perl 5.8
  • Bug 197153 - Add wording schange requested by reviewer which wasn’t in the patch on the bug, and so wasn’t checked in.
  • Fixing tinderbox test failure resulting from the checkin for bug 197153
  • Bug 197153 - Fix for insecure temporary filename handling.
  • Bug 194394 - Someone listed as QA contact on a bug could still access a bug with QA contact privileges if “useqacontact” was later disabled via the parameters.
  • Bug 192661 - Dependency graphs were printing bug summaries without HTML filtering.
  • Bug 192677 - Add new test to flag failure-to-filter situations in the templates, and correct the XSS holes that were discovered as a result of it.
  • Fix (on the 2.16 branch) for bug 160279 - checksetup.pl doesn’t check permission on data/comments. Patch adds a fixPerms() call for data/comments.
  • Bug 194125 - CGI.pl perl warning: Character in “c” format wrapped
  • Bug 195424 - Add a note about new MySQL permissions needed for Bugzilla in MySQL 4.
  • Bug 171674 - Adding a section to the Troubleshooting section describing how to fix the File::Temp problems in perl 5.6.0.
  • Bug 197180 - long component name not flagged as error. Because of a mismatch between the size of bugs.component and components.program, this caused silent failures when creating/moving bugsin that component.
  • Port security section rewrite from bug 191537 to the 2.16.3 docs
  • Bug 157704 - Deleting a product could potentially remove privileges from administrators.
  • Bug 191971 - The guide incorrectly stated that you could close a bug by sending an email with the code in contrib/
  • Bug 188757 - 2.16 shipped with the problem mentioned in bug 174255 and that fix was never ported to 2.16’s documentation, so the error was still on bugzilla.org.
  • Bug 187566 - Update upgrade section in the 2.16 branch as was done on the tip
24. April 2003

Bugzilla 2.16.3, 2.17.4 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.4 developer snapshot. For details on the newest features and bugfixes, see the new status update. The 2.17.4 snapshot also contains multiple security fixes.

Also released today is Bugzilla 2.16.3. 2.16.3 is the latest stable Bugzilla release, and fixes multiple security bugs in Bugzilla 2.16.2. Read the security advisory below for details.

16. January 2003

Bugzilla Getting Exposure at LinuxWorld

by Bugzilla Team

Bugopolis is showing off their Bug Station, a server hardware product that comes with Bugzilla pre-installed on it, at the LinuxWorld expo next week. IDG (the event promoters) announced today that the Bug Station was a finalist in the LinuxWorld Open Source Product Excellence Awards, in the Best Developer Tools category. The Bugzilla Team offers their congratulations to Bugopolis for becoming a finalist, and best wishes at the show! Read IDG’s press release.

02. January 2003

Bugzilla Status Update

by J. Paul Reed (preed)

Introduction

The Bugzilla Team is pleased to announce the release of three versions of Bugzilla today: 2.14.5, 2.16.2, and 2.17.3:

  • 2.14.5 is a maintenance release on the 2.14 branch; it contains a couple of security-related bug fixes.
    Note: this is the last 2.14.x release, as the Bugzilla Team has officially stopped supporting the 2.14 branch.

  • 2.16.2 is a maintenance release on the 2.16 branch, containing a couple of security-related bug fixes.
    It is recommended that all production installations upgrade to 2.16.2 to make sure they get the fixes for these security bugs.

  • 2.17.3 is the latest developers’ snapshot release from the trunk; it contains the above security bug fixes as well as tweaks to features in 2.17.1 (bug and attachment flags, enterprise groups, etc.). This release is a developers’ release and is not generally intended for production use.

The security bug fixes on the 2.14.x and 2.16.x branches and the trunk all address the same security bugs. These bugs address cross site scripting vulnerabilities (which the Bugzilla Team already released an announcement about), and sensitive directory and file permissions. In all cases, local server compromises aren’t possible, but unrestricted Bugzilla database access is possible.

Unfortunately, none of these release address the Win32 situation which is still unchanged.

What Happened to 2.17.2?!

Bugzilla project observers may note that we’re releasing a 2.17.3 developers’ release without having released a 2.17.2 version.

This was due to an overzealous Bugzilla developer (JayPee) who tagged the 2.17.2 release in CVS before it was quite ready to be released. Because of the holiday season and a couple of other bugs that were found, the Team decided to hold the release of 2.17.2 until after the holidays.

But, some astute users noticed the new, incorrect tag and had already started to pull it from CVS. Therefore, to minimize confusion, and signify that other patches had been checked into the tree after what had been dubbed “2.17.2” was tagged, the Team decided to bump the version number to 2.17.3.

Developers (and anyone else) do not want the 2.17.2 “release”; they want 2.17.3.

Check-in Policy Update

As Bugzilla project lead Dave Miller announced in the last status report, the Bugzilla project has changed its policies regarding check-ins. The new policy institutes an “approval” process for check-ins and comes as an addition to our existing review policy.

Previously, to check something into Bugzilla’s CVS tree, developers were only required to get the approval of one or two people on the review team. That process is now augmented by a requirement of obtaining approval on the patch from the project lead or a designee before it can be checked in. Current “designees,” if there are any, are noted in the #mozwebtools topic. This won’t amount to a code review, but rather a ‘yes’ or ‘no’ on whether this feature or bugfix in this form at this time is the best course of action to fulfill Bugzilla’s design goals. Approvals are also being used to coordinate landing patches, so the approval flag generally won’t be set until there’s a patch ready to land. If you want to know if a patch you’re working on will likely be given approval for check-in before you expend effort on it, you can ask on the [email protected] mailing list.

Bugzilla developers and reviewers are adjusting to this new policy well, and it’s seemingly serving the Bugzilla project well. The quick release of another 2.17 developers’ snapshot, a mere six weeks after 2.17.1, provides good evidence of this.

Upcoming Major Features

The following is a list of major new features the Bugzilla Team is currently working on. You can find more information, including implementation/design discussions, proposed landing dates, and status in the bug reports below. These are also features that the Bugzilla Team would appreciate help on, so if one of the features below interests you, feel free to jump into the fray!

  • Ability to send email via SMTP instead of relying on a local installation of sendmail. (Bug 84876)
  • PostgreSQL support. (Bug 98304)
  • Sybase support. (Bug 173130)
  • Ability to add generic customized fields to bugs (Bug 91037)
  • Customized resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)
  • Generic charting. Allows users to define arbitrary data sets for which historical data will be recorded, and then plot those data sets. Bug 16009.

New Bugzilla Features

Re-architected Product Groups

Bug 147275, re-architected product groups, has finally landed. In the 2.17.3 release, the entire mechanism for handling groups has been revised.

It is now possible to exert much more control over how groups and products are related. In editproducts.cgi, there is now a mechanism to permit you to edit the “Group Controls” for a product and determine which groups are applicable, default, and mandatory for each product as well as controlling entry for each product and being able to set bugs in a product to be totally read-only unless some group restrictions are met.

The patch author, Joel Peshkin, has noted that all of the possible scenarios have not been anticipated and this is a new feature, so please Cc him on all bugs you file against re-architected product groups.

Some examples of advanced uses for the re-architected product groups follow:

  • Example: When several products need to be associated with the same default group (formerly a product group), instead of defining several groups with the same names as the products and managing memberships in each group, a single group can be defined to control access and that group can be set as a “Default” group for all of the products.
  • Example: If certain products are never supposed to have a publicly accessible bug, define a group of all authorized users and set the groups control for those products to indicate that the group is Mandatory/Mandatory. This will place bugs in that group without giving the user any option at all.
  • Example: Anyone can enter a security bug. Create a product for security bugs. Do not restrict entry to the product at all. However, set the Member/Nonmember permissions to Default/Mandatory for the security group. This will permit anyone to enter and members of the security group will be able to override the default group restriction while nonmembers will be forced to restrict the bug to the security group.

Replication/shadowdb removal

The shadowdb was a read only copy of Bugzilla’s database, which Bugzilla used for potentially expensive read only queries, such as from buglist.cgi. Due to MySQL’s table-level locking mechanism, long running queries block modifications and updates to the database; the shadowdb attempted to alleviate this bottleneck by creating a second database for these long running queries to use.

Previously, Bugzilla handled updates from the main database to the copy on its own by keeping track of every SQL update. These updates were then sent to the shadow database via a separate process (syncshadowdb). This process had several bugs and was inefficient.

With the landing of bug 124589, which added MySQL replication support to Bugzilla, and bug 180870, which removed the old manual syncing code, Bugzilla 2.17.3 is now able to use the replication facilities provided by the database to handle these updates. The system is now given the locations of the two databases, but leaves updating them to an alternative process. This simplifies the Bugzilla code, and enables further optimizations which were not possible when Bugzilla needed to capture all of an SQL UPDATE/INSERT command.

New “always-require-login” Parameter

This new parameter, added under bug 173761, allows administrators running commercial or sensitive Bugzilla installations to require users to present login credentials to access Bugzilla.

Bugzilla is most commonly used for open source projects, where anyone should be able to search for and view certain types of bugs. But some entities need to restrict these operations to logged in users; this parameter allows administrators to require a login on every Bugzilla page, except for the front page. If users try to access any page without login credentials (in the form of a valid login cookie) and “always-require-login” is set, they will be prompted for the information before being allowed to continue.

Attach and Reassign at Once

When developers attach patches or other attachments (testcases, etc.) to bugs, they will commonly reassign the bug to themselves shortly thereafter, since that developer is actively working on that bug. These used to be distinct steps, which generated two email messages and required Bugzilla users to attach their patch and then reassign the bug to themselves.

This patch, added as part of bug 116819 allows developers to reassign the bug to themselves and set the status to accepted during the attachment creation process. This effectively makes the above process one atomic operation, reducing bug spam and streamlining a very common process.

Trunk Checkins Since the Last Status Update

</a>

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the trunk from 11/17/2002 to 01/02/2003. This list was generated by filtering Bonsai’s output on that query.

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

  • (12/28/02) Release notes update (mattyt)
  • (12/21/02) Documentation rebuild (gerv)
  • (11/21/02) Post-2.17.1 release documentation corrections (justdave)

Checkin manifest:

  • Bug 186673 - Updating section on Red Hat Bugzilla and adding last updated lines to each of the variants.
  • Bug 186962 - Update minimum versions of required software and move those versions to be ENTITY’s
  • Bug 180005 - Bring the FAQ up to date.
  • Bug 178230 - Update documentation for Entrprise Groups
  • Bug 183388 - processmail wasn’t picking up on users being added to the owner or qa contact role and was dropping emails if the user had selected to only get mail on those events.
  • Bug 186594 - $db_sock was not being exported from Bugzilla/Config.pm
  • Bug 186337 - Param lookup should fall back to defaults
  • Bug 186383 - Checksetup leaves editor backups of localconfig accessible
  • Bug 180870 - Remove old shadowdb manual replication code
  • Bug 173622 - Move template handling into a module.
  • Bug 185760 - New group system doesn’t upgrade transparently if usebuggroups = 0
  • Bug 186218 - importxml.pl was doing a query against the products table using the old schema
  • Bug 185944 - radio buttons for adding/removing groups on the change-multiple-bugs screen all had the same name
  • Bug 184949 - CSV buglists are missing the Bug ID column.
  • Bug 185332 - Rewrite the description for timezone param (typo fixes etc.)
  • Bug 158499 - Templatise XML bug output
  • Bug 116819 - Attach and Reassign in one fell swoop.
  • Bug 183188 - collectstats.pl no longer makes data/mining world-readable
  • Bug 184256 Canedit group_control_map entry does not prevent making attachments
  • Bug 184081 Change search interfaces to use Viewable products instead of enterable products
  • Bug 184336 - default urlbase parameter on new installs now points at http://you-havent-visited-editparams.cgi-yet/ to a) relieve cvs-mirror.mozilla.org of all the hits, and b) give people who receive those emails a hint what to do to fix it.
  • Bug 180955 - Remove dual-license from test files
  • Bug 184365 - link to urlbase instead of index.cgi from “Top” link in navigation toolbar.
  • Bug 86029 - create permission restrictions for createaccount.cgi (prevent people from creating accounts)
  • Bug 159627 - quips should be editable and deleteable using the web interface
  • Bug 176461 - Move descs strings from change-columns.html.tmpl tofield-descs.html.tmpl
  • Bug 183843 - Query knobs are missing if requirelogin is set
  • Bug 182946 - fix additional typo noticed on irc by tm
  • Bug 182946 - fix regressions from bug 171493(Bug.pm/show_bug.cgi/bug_form.pl reorg)
  • Bug 177850 - checksetup.pl was failing if the user didn’t have read permissions to the entire Bugzilla path
  • Bug 178880 - Creation date is now displayed in the long list.
  • Bug 182512 - Charts over time broken
  • Bug 181951 - Cannot delete groups
  • Bug 171493 - make show_bug use Bug.pm and remove bug_form.pl
  • Bug 67077 - We now include the timezone (as configured in editparams.cgi) on every time we display.
  • Bug 173761 Need ability to always require login
  • Bug 114179 - Concentration, improvement, and templatisation of Bugzilla general user help system.
  • Bug 181221 - CSV reports on 2-d tables have header messed up.
  • Bug 181960 Reason for account being disabled is not shown
  • Bug 180460 request.cgi doesn’t filter list of products/components
  • Bug 181582 - reorders the table cells on the query page so that the list headers are grouped with the lists in Links and whenused with voice synthesis packages.
  • Bug 147275 Rearchitect product groups
  • Bug 180980 Doing 2 email searches fails when searching for CC list members
  • Bug 180966 - warnings in webserver error log (take 2)
  • Bug 181613 - $::ENV not being cleared
  • Bug 181182 - Reporting fix pack 2. Fixes bug 179198 (Don’t print labels for pie chart wedges when smaller than a certain size), bug 180255 (Tabular report CSV downloads should suggest csv filename), and bug 180967 (csv reports swap rows/columns).
  • Bug 181286 - Invalid html in banner.html.tmpl
  • Bug 179483 - Guided template displays wrong product name sometimes.
  • Bug 179582 - More informative and easier to read flag email template
  • Bug 179293 - time tracking js should only appear if time tracking isenabled
  • Bug 181000 - Lock the keyworddefs table for READ when using a shadowdb, too
  • Bug 180978 - Adding keyword from enter_bug doesn’t update keyword cache
  • Bug 179811, used & instead of &
  • Bug 124589 - support database replication
  • Bug 179881 - makes the “Requests” link in the footer be “My Requests” for logged in users.
  • Bug 179876 - Labels the “Requestee” field to reduce confusion about its purpose.
  • Bug 175579 - make templates html compliant
  • Bug 179206 - enter_bug isn’t picking up version from URL
  • Bug 180545 - It was possible to change the product/component of a bug without having the editbugs permission.
  • Bug 179960 - QuickSearch queries are slow and timeoutfixed by adding subselect emulation for product/component lookups
  • Bug 180205 - General reporting fixes.
  • Bug 180151 - Grand total links are messed up when axis is restricted,
  • Bug 180105 - CSV reports occasionally break,
  • Bug 179671 - Boolean charts are broken on reporting pages,
  • Bug 179887 - report.cgi should require Data::Dumper , not use
  • Bug 179581 - Keyword combinations report not very useful.
  • Bug 180444 - Correctly attributes request creation to person who submitted it.
  • Bug 180632 - corrects reference flag->is_requesteeble to flag->type->is_requesteeble
  • Last part of fix for bug 179494 - adds “use Bugzilla::Util” and removes “&::” from before “trim” per bbaetz.
  • Bug 179494 - prevents Bugzilla from thinking users have changed flags when they haven’t.
  • Bug 180544 - prevents display of requestee field for generally requestable fields.

2.16 & 2.14 Branch Checkins Since the Last Status Update

The following is a list of specific bugs fixed (and their checkin messages) since the last Bugzilla status report. It is ordered by the checkin date, as ordered by Bonsai. It includes checkins on the 2.14 and 2.16 branches from 11/17/2002 to 01/02/2003. This list was generated by filtering Bonsai’s output on that query (contains both branches).

Bold italic bugs are security-sensitive bugs.

Checkins made without reference to any specific bugs:

  • Versions numbers were bumped and release notes updated for both branches

Checkin manifest:

  • Bug 186383 - Checksetup leaves editor backups of localconfig accessible
  • Bug 183188 - collectstats.pl no longer makes data/mining world-readable
  • Bug 179329 - filter quips in “show all the quips” for HTML
02. January 2003

Bugzilla 2.16.2, 2.17.3 Released

by Bugzilla Team

The Bugzilla Team is pleased to announce the release of the Bugzilla 2.17.3 developer snapshot. For details on the newest features and bugfixes, see the new status update.

Also released today is Bugzilla 2.16.2. 2.16.2 is the latest stable Bugzilla release, and fixes two security bugs in Bugzilla 2.16.1. Read the security advisory below for details.

02. January 2003

Bugzilla 2.14.5 to be the last 2.14 release

by Bugzilla Team

The Bugzilla Team has released Bugzilla 2.14.5 today to address two security issues which were recently discovered. As we’ve been warning for the last several months, we are no longer supporting the 2.14 branch as of the end of 2002, so this release marks the last for the 2.14 line. All sites who haven’t already done so are strongly encouraged to upgrade to 2.16.2 so you can continue to receive security updates.