Blog

Want to always keep up-to-date with Bugzilla news? Subscribe to announce@bugzilla.org, a read-only mailing list where we'll post announcements about new versions of Bugzilla and security advisories.

Browse Archives »

You can also see what's going on in the project by looking at the notes of, or watching the video of, our monthly developer meetings.

Loading the upcoming event

03. March 2002

New Guides available and another status update

by Bugzilla Team

We’ve added a Developers’ Guide and a Reviewers’ Guide to our “Developer Resources” page to assist those interested in getting involved to get to know how we do things.

We also have a long awaited status update to explain why we still haven’t released Bugzilla 2.16.

13. February 2002

Bugzilla Status Update

by Zach Lipton (zach)

Introduction

It is clear at this point that we will not make our goal of February 15th for the 2.16 release. However, the Bugzilla tree is now frozen and is only accepting bugs that have been targeted as 2.16 blockers, and things are moving quickly now, so it looks reasonable that we won’t have to delay again beyond March 1st, and will probably release sooner if the right things fall into place before then.

Highly Misleading & Meaningless Statistics

Date 2.16 Bugs With Patches Waiting For Review 2.16 Bugs Waiting For Patches 2.16 Release Blockers 2.18 Bugs Other Bugs
2001-10-19 112 bugs 329 bugs   36 bugs 299 bugs
2002-01-18 49 bugs 61 bugs 34 bugs 459 bugs 337 bugs
2002-02-11 34 bugs 35 bugs 27 bugs 477 bugs 396 bugs
2002-02-13 24 bugs 21 bugs 23 bugs 481 bugs 405 bugs

New Committer

Bugzilla welcomes Christian Reis (kiko has he is known on #mozwebtools, irc.mozilla.org) as Bugzilla’s latest cvs committer. Kiko is looking forward to squashing even more new bugs and making the 2.16 release great.

Templatisation Update

Bugzilla Templatisation is well underway. There are currently 8 user-visible cgi’s or html pages left to templatize, all, but one of which are undergoing review.

Bugs relevant to the templating process that are still outstanding are:

Other bugs about templates in Bugzilla:

  • Bug 98658 - Let administrator know which customised templates have been updated by Bugzilla team
  • Bug 97832 - turn on template pre-compilation
  • Bug 106612 - All the files *.html files currently in the main directory

2.16 Goals

The current goals for our 2.16 release are still:

  • HTML 4.01 Transitional compliance.
  • Templatization of all customer-visible CGI pages, to allow easy customization by the administrator (8 bugs remain)
  • Allow users to change their own email addresses, instead of having to bug the site admin (using verification emails sent to both the old and new addresses to validate the change) (awaiting review)
  • Remove old attachment code in favor of the new attachment tracker system. (complete)
  • Enable Perl’s taint mode for all user accessible files, and taint-check anything being sent to the database.(complete)

Note that the “complete redesign of the schema related to security groups to eliminate the “funky groupset math” and allow more than 55 bug groups to be created” has been pushed to early 2.18.

For a more up to date list, see the roadmap. Also, the current list of open bugs that are considered release blockers can be found in this buglist.

Upcoming Major Features

Major new features are being working on. Some of these will appear in 2.16. If you would like to know when we plan on adding one of these feature, you can get that information from the bug requesting its implementation. These include:

  • PostgreSQL support. (Bug 98304)
  • Ability to have more than 55 groups, which will also allow a finer grained rights system to be introduced. (Bug 68022)
  • Ability to add generic customized fields to bugs (Bug 91037)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • Request tracker, for managing requests to change things about bugs. (Bug 98801)
  • Use template pages instead of hard-coding the HTML into the perl. (Bug 86168)
  • mod_perl support. (Bug 87406)
  • New makefile-based installation system (Bug 104660, Bug 105854, Bug 105855, and Bug 105856)

Checkins Since the Last Status Update

Get this list from Bonsai

  • Bug 124869 - Conversion script to import bugs from Jitterbug into Bugzilla contributed by Tom Emerson placed in the contrib folder
  • Bug 97471 - The assignee and qa contact should always be able to see their bugs
  • Bug 100094 - use generic template handling code
  • Bug 99024 - checksetup was not giving proper permissions to the contents of the template directory. This patch also adds an .htaccess file that blocks access to the template folder by the web server.
  • Bug 120756 - Moving JS to beginning of file to avoid IE warnings.
  • Bug 97966 - Changing the product in the query page would remove your component, version, and milestone selections
  • Bug 122897 - Comments entered on the bug form are now added to the bug before it is closed and moved when moving a bug
    to another Bugzilla install
  • Bug 119005 - The instructions in editgroups.cgi incorrectly state that you can’t use spaces in a group name. You in
    fact can.
  • Bug 117055 - Emails were being truncated if they contained a line with nothing but a period on them
  • Bug 119755 - strictvaluechecks should always be enabled
  • Bug 122418 - obsoleting a patch from the create attachment screen gave
    a taint error
  • Bug 122418 - setting attachment status fails taint checks
  • Bug 110012 - show_bug.cgi templatisation
  • Bug 87398 - checksetup.pl should warn if not run as root
  • Bug 95732 and Bug 58242 - Remove logincookies.cryptpassword, and invalidate cookies from the db when required instead
  • Bug 14461 - QA contact is no longer required
  • Bug 121747 - Stops every script before it does anything else if Bugzilla is currently shut down
  • Bug 98021 - Cleans up “edit attachment” interface on NS4.x by removing text of buttons that do not work in that browser
  • Bug 122154 - Eliminiate the use of the “usetms” Javascript cache variable
  • Bug 109138 - platform detection not working on macintosh
  • Bug 122744 - Charting fails taint checks
  • Bug 122636 - Templatise colchange.cgi
  • Bug 122589 - Update gnats conversion script to newer schema of 2.14
  • Bug 104521 - Removes old attachment interface in favor of new attachment tracker
  • Bug 122154 - change arrays to numeric, and clean up query.atml js
  • Bug 117509 - createaccount.cgi templatisation.
  • Bug 121735 - Perl warning running checksetup.pl if a module has a
    non-numeric version number
  • Bug 117759 - quips.cgi rewrite and templatisation
  • Bug 93037 - use YYYY-MM-DD HH:MM formatting for attachment dates
  • Bug 120543 - Software error when entering a bug when not logged in & only
    one product
  • Bug 121074 - taint error after changing bug
  • Bug 98368 - dbi connect doesn’t use db_port option
  • Bug 121170 - template outputs empty <style> tag
  • Bug 113438 - The DTD from Bugzilla’s XML output was not correct, so any attempts to validate the output were futile
  • Bug 108982 - enable taint mode for all user-facing CGI files
  • Update of documentation
  • Bug 120817 - Log Out and %commandmenu% in bannerhtml
  • Bug 119060 - Use of Template.pm filters for url and html encoding
13. February 2002

Final Countdown to Bugzilla 2.16

by Bugzilla Team

We’ve finally entered our final countdown to the Bugzilla 2.16 release. Read all about it our latest status update.

18. January 2002

Bugzilla Status Update

by Jacob Steenhagen (jake)

Introduction

It’s been a while since the previous (AKA, first) status update, so this one will be a bit longer than may be considered ideal. As you are probably aware, the 2.16 release of Bugzilla hasn’t happened yet. We are working hard at making this release a reality, but the members of the core team have been very busy lately with other endevors (rumor has it that some of us have a life :). As of this writing, the goal is to freeze the tree on Saturday, February 2, 2002 with a release happening on Saturday, February 16.

Highly Misleading & Meaningless Statistics

Date 2.16 Bugs With Patches Waiting For Review 2.16 Bugs Waiting For Patches 2.16 Release Blockers 2.18 Bugs Other Bugs
2001-10-19 112 bugs 329 bugs   36 bugs 299 bugs
2002-01-18 49 bugs 61 bugs 34 bugs 459 bugs 337 bugs

The 2.14.1 Release

During the time that the trunk was open for 2.15 development, the decision was made that in order to provide better security, all .cgi files should run in taint mode. As of the 2.14 release, only processmail ran in taint mode. In the process of turning on taint mode in the perl files and for anything entering the database, there were numerous security holes discovered, some of which allowed you to masquerade as another user, others allowed you to glean information about secure bugs. It was decided that these holes were of a high enough severity to backport the patches to 2.14 and put out an interm release rather than wait for 2.16 to come out. More specific information can be found in the 2.14.1 Release Notes.

Please note that 2.14.1 does not run in taint mode. Also, the goal for 2.16 is to have all the user accessible files running in taint mode (basically, anything that doesn’t start with edit).

Templatisation

For better or for worse, templatisation of all user visible .cgi’s is now a 2.16 release goal. The “better” part is that it makes customizing the look and feel of the front end much easier as you only have to change the template, you don’t have to change any of the perl code. The “worse” is that it’s a lot of work and probably one of the main reasons for the constant delays of 2.16.

The minimum version of the Template Toolkit was recently increased to be 2.06 instead of 2.01. This is because there were certain features that required this newer version that we wanted to take advantage of in Bugzilla. See bug 120081 for more information.

The Template Toolkit is available from their web page. If you use linux, you can also get the module from CPAN. Instructions for using PPM on win32 are available from their web page.

Bugs relevant to the templating process that are still outstanding are:

2.16 Goals

The goals for our 2.16 release have changed since the last status update. When that update was written, the goal was to have no patches setting around bit-rotting. It was determined that while this is an admirable goal, there were other things that Bugzilla needed more, such as the aforementioned templates. Reducing the patch queue and accepting submissions from non-core developers is an ongoing goal for the Bugzilla development team, but we are constantly faced with the difficult decision of how to manage what little time we have to work on this project.

The current goals for our 2.16 release are:

  • HTML 4.01 Transitional compliance.
  • Templatization of all customer-visible CGI pages, to allow easy customization by the administrator
  • Allow users to change their own email addresses, instead of having to bug the site admin (using verification emails sent to both the old and new addresses to validate the change)
  • Complete redesign of the schema related to security groups to eliminate the “funky groupset math” and allow more than 55 bug groups to be created.
  • Remove old attachment code in favor of the new attachment tracker system.
  • Enable Perl’s taint mode for all user accessible files, and taint-check anything being sent to the database.

For a more up to date list, see the roadmap. Also, the current list of open bugs that are considered release blockers can be found in this buglist.

Contributions

There are many ways you can help the Bugzilla team.

  • Patches to Fix Bugs/Implement New Features. These are very welcome, especially if they are targetted for the 2.16 milestone! They need to be appropriately generic for all Bugzilla installations and conform to our other requirements (see the hackers’ guide) before they can appear in CVS, but if you don’t wish to do this, anything is better than nothing, and we can use your work as a base.
  • New documentation. If you think you can help with the documentation for Bugzilla, please contact Matthew Barnson.
  • Testing. Search for bugs in the Bugzilla software, as well as trying out pending patches in the bug system.
  • Review. If you have experience with Perl and Bugzilla code, it would be very useful if you look over pending patches in the bug system and see if there are any problems with them. Generally we expect reviewers to have submitted some patches first so we can evaluate their ability. If you fit into this category, please contact Dave Miller about this.
  • Automatic Problem Finding. If you have ideas for automatically detecting problems, please let the team know by filing a bug in the Testing Suite component.

The Bugzilla team mainly communicates through the IRC channel #mozwebtools on irc.mozilla.org. All are welcome on this channel, whether you are an administrator of a Bugzilla installation or wish to contribute. The more the merrier.

Upcoming Major Features

Major new features are being working on. Some of these will appear in 2.16. If you would like to know when we plan on adding one of these feature, you can get that information from the bug requesting its implementation. These include:

  • PostgreSQL support. (Bug 98304)
  • Ability to have more than 55 groups, which will also allow a finer grained rights system to be introduced. (Bug 68022)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • Request tracker, for managing requests to change things about bugs. (Bug 98801)
  • Use template pages instead of hard-coding the HTML into the perl. (Bug 86168)
  • mod_perl support. (Bug 87406)

Checkins Since the Last Status Update

Get this list from Bonsai

  • Bug 73180 - Put a notice in the versioncache file stating that it’s automatically generated
  • Bug 104340 - Change the UI for the toolbar that allows bugs to be hidden in the dependency tree
  • Bug 105480 - Use the friendly name from the fielddefs table when reporting strictvalue errors if it’s available
  • Bug 71840 - Make comments referenceable using a #c4 to get the fourth comment
  • Bug 63249 - The Bug Counts report was running very slowly due to unneeded fields/joins in the SQL query
  • Bug 97469 - Fixed the mail handling code to allow “extra” people that can see a restricted bug to get e-mail about it
  • Bug 95024 - Fixed the query code to allow “extra” people see their bugs in a buglist
  • Bug 101560 - BASH_ENV was casing processmail grief in if it existed due to Taint mode
  • Bug 106315 - Added a link to the bottom of a buglist to send e-mail to all QA Contacts contained in that buglist
  • Bug 104065 - Stop uninitialized string warnings from getting into the error log when the login cookie doesn’t exist
  • Bug 98602 - Completely redesigned the Create Attachment page
  • Bug 81594 - SQL error after editing user entry when changing numerous things at once
  • Bug 150879 - Footer links have an extra | by Sanity Check
  • Bug 96675 - checksetup.pl should require admin e-mail address satisfy emailregexp
  • Bug 95615 - cosmetic change to clarify error message when trying to use too many votes
  • Bug 105773 - Email addresses in the CC list are now sorted case-insensitively
  • Bug 107718 - Do bit fiddling instead of adding groupsets from the first bug to prevent problems with mass changes
  • Bug 107672 - All new regular expressions for determining what browser/os is being used
  • *Bug 108516 - Stopped trusting the hidden form value from enter_bug.cgi to determine who is filing the bug
  • *Bug 108385 - Stopped trusting the hidden value from the bug form when adding a comment to the database.
  • Bug 108547 - Use proper DOM code on the edit attachment page
  • Bug 101166 - Allow “extra” people to see that the bug is in a group
  • *Bug 108812 - Prevent users from running queries containing arbitrary SQL
  • *Bug 108821 - Prevent users with blessgroupset privileges from blessing any group set
  • *Bug 108822 - Prevent any user from changing their own groupset
  • Bug 104652 - Duplicate bugs in the dependency tree now get marked with the message “This bug appears elsewhere in this tree.” so users know why the bug does not appear to have dependencies
  • Bug 99519 - timestamps were not being set correctly in the activity table in some situations, and the delta_ts on the bug itself was not always being updated if dependencies or CCs changed
  • Bug 109048 - Fixed error when creating attachments without logging in
  • Bug 109138 - Fixed a problem where Bugzilla didn’t detect Macs
  • *Bug 109690 - Verify that all bugs passed to longlist.cgi are valid
  • Bug 86300 - Don’t link to bugs that do not exist. Also, cache the results of the GetBugLink()
  • Bug 99518 - Added license header to all templates
  • Bug 98110 - Make the attachment change page look like the bug changed page
  • Bug 6419 - Tools that can be used to generate Bugzilla queries on the command line were added to the contrib/ directory
  • Bug 101560 - Cleared some more environment variables that caused issues when running in Taint mode
  • Bug 104667 - Votes field (text style) on showvotes.cgi defaults to size 5, not natural size and doesn’t include a maxlength attribute
  • Bug 12284 - allow user to specify which columns to display in a bug list
  • Bug 92500 - Line-feeds were not being properly converted when submitting parameter changes with some Mac browsers
  • Bug 107120 - Make the header template generate valid HTML 4.01 Transitional
  • Bug 107120 - After entering a new bug, the link offering to add an attachment to the bug you just created pointed at the old attachment form instead of the new one
  • Bug 100788 - enter_bug.cgi wasn’t correctly interpretting whether or not a partial URL needed an http:// added to the front of it
  • Bug 105812 - The footer link for editing Products was incorrectly labled as Components
  • Bug 98707 - Complete redesign of the query page
  • Bug 109240 - Fixed a regression that caused a really long line in e-mail
  • *Bug 102141 - The Product select box now only shows products the user has access to (and the product the bug is in, if the user is viewing it because of some other override)
  • Bug 93754 - Individual keywords can be linked to on the describe keywords page by using HTML anchors
  • Bug 99864 - consistant use of “product” vs “program”
  • Bug 104261 - Made sure all files that use templates look inside the custom directory first
  • Bug 61634 - explain what “Milestone URL” is on the editproducts page
  • Bug 109530 - Fixed Bug.pm so it doesn’t quote xml characters until it’s asked to output xml (instead of doing it both ways)
  • Bug 101875 - Put the product column before the component column rather than after
  • Bug 109802 - Make it clear how to enter mysql passwords with special characters into localconfig
  • Bug 108312 - The mid-air collision page was only showing the most recent changes if two people committed changes to a bug while you were viewing it.
  • Bug 54901 - If you were using LDAP authentication it would let you log in as anyone if you left the password blank
  • Bug 37339 - Added a sidebar for Mozilla based browsers that contains the saved queries from the page footer
  • Bug 80183 - Make the index page use a template and contain the normal page footer
  • Bug 102487 - Check for lack of comments and warn before checking to see if the product has changed
  • Bug 113646 - An error would occur if there was a midair collision and the assignee was being changed
  • Bug 98080 - If attachment.cgi is run without any params, it will now prompt for the attachment number
  • Bug 97784 - Wrap comments properly on “edit attachment” page
  • *Bug 109679 - It was possible to send arbitrary SQL to buglist.cgi by altering the HTML form before submitting
  • Bug 113975 - Changing only cc on mass change page incorrectly gives an error that you didn’t select anything to change
  • Bug 113383 - Add a link to the dependent bug in emails about a dependent bug changing state
  • Bug 99608 - Dependency mails are no longer sent if the dependent bug can’t be seen by the would-be recipient of the email
  • Bug 120081 - Bugzilla now requires version 2.06 of the Template Toolkit

Bugs with an asterisk (*) next to them were also checked into the 2.14.1 branch

05. January 2002

Bugzilla 2.14.1 Released!

by Bugzilla Team

Bugzilla 2.14.1 is now available for download. For details of upgrade options and download locations see the downloads page.

If you already have a version of Bugzilla 2.15 that was checked out of CVS, please DO NOT DOWNLOAD THIS VERSION, but use cvs update to pull in these fixes. Bugzilla 2.14.1 does not contain most of the code currently in CVS, but is only patches that have been back-ported to the 2.14 code base in order to seal security holes that were too important to wait until we finish 2.16. If you have version 2.15 from CVS and have have updated later than January 3, 2002, you already have all of these security fixes.

View the release notes and the security advisory.

For changes between 2.14 and 2.14.1, view the Bugzilla changelog.

01. January 2002

Bugzilla 2.16 is still in progress

by Bugzilla Team

We’ve now missed more than one target trying to complete Bugzilla 2.16. Based on our current progress, we’ve backed our target release date off to February 1st. We’re deeply sorry to keep everyone waiting, but we’d rather have it done right than rushed, and several of us have been short on time lately. If you can assist with any coding for the remaining blockers, feel free to submit patches to the bugs in question. See the Master Plan page for a link to those bugs.

19. November 2001

Master Plan updated

by Bugzilla Team

The Master Plan page has finally been updated to reflect reality :)

19. October 2001

Bugzilla Status Update

by Matthew Tuck (codemachine)

Introduction

This is the first in a (hopefully) regular series of status updates about the progress of Bugzilla development. The aim is to let people know about upcoming versions of Bugzilla, so they can better prepare for new features, as well as to raise any concerns about them before they leave CVS and become a stable tarball.

Highly Misleading & Meaningless Statistics

Date 2.16 Bugs With Patches Waiting For Review 2.16 Bugs Waiting For Patches 2.18 Bugs Other Bugs
2001-10-19 112 bugs 329 bugs 36 bugs 299 bugs

The 2.14 Release

The 2.14 release went relatively smoothly, after some last minute bu … err hitches were encountered on bugzilla.mozilla.org. This site, for those that don’t know, was the original installation of Bugzilla and is the “shakedown” site for the CVS code when there are no known non-documentation release blockers.

Inevitably release blockers are found when this occurs, and there were blockers for 2.14 just as there were for 2.12. However, the actual release process went relatively smoothly this time around. The process includes updating web pages, preparing release announcements/security advisories, checking in the final documentation, including double checking the release notes, checking out and preparing a tarball, and so on. Generally this process occurs over the space of one frantic day.

2.14+

The first order of business after 2.14 was to introduce some of the features into CVS that were needed on bugzilla.mozilla.org, but weren’t considered necessary for the 2.14 release because their benefit/risk ratio was not high enough. Remembering that bugzilla.mozilla.org is the bug system that is used for tracking bugs in Bugzilla (as well as Mozilla), we obviously are acutely aware of these issues. These features were checked in and bugzilla.mozilla.org updated to CVS. This point was nicknamed “2.14+”.

The major part of this was the new “attachment manager”. This allows you to edit the attributes of attachments. This includes MIME types, is-patch status, the new is-obsolete status, as well as a feature that allows you to add your own “attachment statuses” to attachments. These can be thought of as to attachments what keywords are to bugs. Examples include “first-review”, “needs-work”, etc.

The checkin of the attachment manager was followed by a flurry of reporting of minor bugs and desired features to be added. These include bugs 97729, 97733, 97739, 97764, 97784, 97825, 97868, 97877, 98201, 98074, 98103, 98110, 98111, 98112, 99215, 99716, 101056, 101770, 103605, 103661 and 104521. Some of these have been since resolved, while others have not.

This also included a rewrite of the Javascript code that gets run when you add or remove products on the query page. This operation was quite slow if you had a reasonable amount of product/components and used a browser that “reflows” pages, such as Mozilla/N6, IE5+, Konqueror … (in fact basically everything except N4). The rewrite dramatically improved performance, which is now at acceptable levels on bugzilla.mozilla.org.

Unfortunately the new code turned out to regress milestone sortkeys (bug 97736) and selections on pressing the browser back button (bug 97966).

The other two patches added a summary to “dependent bug has had its status changed” e-mails, as well as fixes to properly shut down a Bugzilla installation when the syncshadowdb script is run. bugzilla.mozilla.org used this script to do backups.

Templatisation

With the introduction of the attachment manager came the start of a process that many Bugzilla administrators will surely cheer - templatisation (bug 86168). With templates, HTML is moved out of the Perl code and into separate files. Dynamically generated data is passed by Bugzilla to the templates and the result is then displayed.

This makes an administrators job easier, firstly, because they don’t need to know any Perl to change the user interface, and secondly, because they don’t need to make changes to their customised templates every time they upgrade.

Previously RedHat’s fork of Bugzilla supported this feature using the “Text::Template” software. However, the attachment manager uses the “Template Toolkit” software for its templates. This is because the Template Toolkit was judged to be technically superior.

Although the templates will be different, and administrators of RH Bugzilla would need to convert their templates to use mainline Bugzilla, this and other recent events indicate we may see a reunification of RH Bugzilla and mainline Bugzilla at some happy point in the future.

The introduction of the Template Toolkit brought up some issues with the software, namely that it failed install tests in certain parts of the world (now fixed) and that the CPAN package did not do proper dependency checking.

The introduction also meant that CVS Bugzilla now requires Perl 5.005 or later, as that is a template toolkit requirement. 2.14 will be the last version of Bugzilla that allows you to use 5.004.

The landing of the attachment manager brought up various issues with the template implementation, including 97721, 97832, 98658, 99024, 99518, 100089, 100092, 100094, 104261 and 104600.

It is hoped that templatisation may be complete by the end of 2.16.

Automatically Preventing Problems

One direction the team is heading is to try and be proactive in preventing problems rather than reacting to them.

During the 2.13 cycle Tinderboxen were introduced to check that Bugzilla compiled. For those not familiar with Tinderbox, it is another mozilla.org “web tool” that regularly checks a piece of software in CVS for problems.

After 2.14, a new “testing suite” has been included in CVS. Currently this checks the code for some bad “code patterns” we have encountered in the past. The testing suite does not do testing in the standard sense - the Bugzilla code currently does not have adequate separation between “back-end” and “front-end” (user interface) code to do this easily.

New checks have been suggested that will be added, but more are always welcome. See bug 97976 for more information.

Current tests are:

  • checking everything compiles, Perl and templates
  • checking no tabs are present
  • checking only the multi-parameter versions of system and exec are used
  • checking all files use -w and use strict

The testing suite is now a pre-checkin requirement - all new code must not cause problems it detects. There are currently 3 Tinderbox Clients running this test suite to catch the naughty people who checkin without running these tests.

Another area in which problems can be automatically prevented is by using “taint mode”. Taint mode is about ensuring data from an untrusted source (such as the user) must be properly checked before being used to influence something else (such as the database). Its intention is to make it harder to introduce security holes into the product where data is not properly checked or escaped. It is a goal to get all of Bugzilla to use taint mode.

Currently, only “processmail” runs in taint mode.

Hackers’ Guide

To encourage others to contribute code towards Bugzilla, a “hackers’ guide” has been incorporated into the Bugzilla Guide that comes with every copy of Bugzilla.

The aim is to quickly explain everything a developer needs to know about contributing code to Bugzilla. This includes both the things we require (eg the avoidance of certain features) and prefer (eg style issues).

The document is still in its infancy and it may take some time for all of the conventions and rules of Bugzilla development to be compiled, but it should still be useful in its incomplete state. Suggestions are welcome.

As such it is recommended you consult the online version rather than the one shipped with the 2.14 tarball, as it is out of date.

_Editor's note: the Hacker's Guide is no longer in the Bugzilla guide, but on the Bugzilla website, renamed as the Developers Guide. The link above will take you to the new Developers Guide instead._

Product Move

The Bugzilla team felt that having a component in the Webtools product on mozilla.org was too limiting and it would be better to move into a Bugzilla product. Bugzilla has expanded a lot faster than any of the other mozilla.org web tools (such as Bonsai and Tinderbox), both in amount of code and number of developers.

While it may have seemed reasonable to have only a Bugzilla component in the beginning, that no longer is the case. The new product means we can have different Bugzilla components with different default owners, as well as 10 new votes solely for Bugzilla (as opposed to all the web tools), as it should be.

Once the product was created the work began moving the open bugs to the correct component. This has now been completed, and around 800 open bug reports were moved.

It was decided that the resolved bugs would be all moved to the “Bugzilla-General” component, as there was too many to worry about sorting them into their components. At the same time, we took to opportunity to piggy back update the assignee and QA fields on some of the bugs, because emails were already going to be sent out about these bugs.

Because of this, lack of sleep and the long neglected bug 30731 combined to cause an unfortunate incident where 151 resolved bugs got reopened. This resulted in much grumbling, and a fix checked in. This caused special problems for bugs marked DUPLICATE, so related bugs 91808 and 97971 also received attention.

2.16 Goals

A message was posted to the webtools mailing list/newsgroup regarding the goals for the 2.16 release. This goes into detail about the two main goals which are (slightly simplified):

  • no known bugs
  • no pending patches

See the message for more details. Other goals that may be dropped include fully working on Win32, all files running in taint mode, full templatisation and fully valid HTML 4.01 output.

Review Day

The first “review day” was held on the 5th of October. The idea of review day was that developers would not develop but instead help to review some of the patches waiting for review and check in.

The results were:

  • 9 positive reviews.
  • 3 negative reviews.
  • 5 checkins.
  • The patch queue size went from approximately 124 to 111.

Another review day was held on the 12th of October, but we forgot to keep track of the stats for it. However, during that preceding week, the patch queue size reduced to around 99. At the time of writing, it was back up. Hopefully further review days can result in bouncing the patch queue size off zero.

Contributions

There are many ways you can help the Bugzilla team.

  • Patches to Fix Bugs/Implement New Features. These are very welcome, especially if they are targetted for the 2.16 milestone! They need to be appropriately generic for all Bugzilla installations and conform to our other requirements (see the hackers’ guide) before they can appear in CVS, but if you don’t wish to do this, anything is better than nothing, and we can use your work as a base.
  • New documentation. If you think you can help with the documentation for Bugzilla, please contact Matthew Barnson.
  • Testing. Search for bugs in the Bugzilla software, as well as trying out pending patches in the bug system.
  • Review. If you have experience with Perl and Bugzilla code, it would be very useful if you look over pending patches in the bug system and see if there are any problems with them. As dealing with all pending patches is a 2.16 goal, review and testing of them is especially important. Generally we expect reviewers to have submitted some patches first so we can evaluate their ability. If you fit into this category, please contact Dave Miller about this.
  • Automatic Problem Finding. If you have ideas for automatically detecting problems, please let the team know by filing a bug in the Testing Suite component.

The Bugzilla team mainly communicates through the IRC channel #mozwebtools on irc.mozilla.org. All are welcome on this channel, whether you are an administrator of a Bugzilla installation or wish to contribute. The more the merrier.

Upcoming Major Features

Major new features are being working on that will likely appear in 2.16. These include:

  • PostgreSQL support. (Bug 98304)
  • Ability to have more than 55 groups, which will also allow a finer grained rights system to be introduced. (Bug 68022)
  • Customised resolutions, that allow adding, removing, deactivating and renaming of resolutions. (Bug 94534)
  • Expanding the e-mail preferences to allow watching components, keywords, etc. (Bug 73665)
  • Request tracker, for managing requests to change things about bugs. (Bug 98801)

Checkins Since 2.14

  • Bug 8647 - Added option to sort by last change date directly to the query page (query.cgi).
  • Bug 19910 - Added ‘cookiepath’ parameter for when you have multiple installations at one address, to keep the cookies separate.
  • Bug 27420 - Added extra space to the Component and Target Milestone fields in the long list display of bugs (long_list.cgi).
  • Bug 28736 - Added summary to dependency status change notification mails (processmail).
  • Bug 30480 - Added ‘show dependencies as buglist’ links to the dependency tree (dependencytree.cgi).
  • Bug 30597 - Made Votes field on the query page more consistent with the rest of the page (query.cgi).
  • Bug 30731 - Prevented the status being set to NEW when reassigning non-open bugs on the mass change page (process_bug.cgi).
  • Bug 42337 - Added the usual red box for errors when uploading attachments (createattachment.cgi).
  • Bug 42810 - Made apostrophes work in product names.
  • Bug 46935 - Fixed a typo on the ‘headerhtml’ parameter description that implied it could contain ‘%commandmenu%’ (defparams.pl).
  • Bug 51519 - Made links to index on the admin edit users page point to ‘.’ instead of ‘index.html’, to handle customised bases (editusers.cgi).
  • Bug 51521 - Fixed bad HTML on the user permissions page (userprefs.cgi).
  • Bug 52577 - Added Mac OS X to the default operating systems (checksetup.pl).
  • Bug 52782 - Made ‘whineatnews.pl’ email use the ‘sendmailnow’ parameter. This is needed for mail agents other than sendmail.
  • Bug 52885 - Made automatic radio selection for the reassignment action not trigger if the new text is same as original owner or empty (show_bug.cgi).
  • Bug 53612 - Made the milestone URL appear correctly when deleting a product or a component (editproducts.cgi and editcomponents.cgi).
  • Bug 55630 - Added email suffix to the users’ account creation page (createaccount.cgi).
  • Bug 57819 - Pruned down large SQL error strings.
  • Bug 57821 - Prevented an empty regular expression from causing a software error when searching for users (editusers.cgi).
  • Bug 58436 - Fixed Javascript warnings on the query page (query.cgi).
  • Bug 65164 - Made Bugzilla send </html> at the end of its pages.
  • Bug 66651 - Included link to attachment when a notification mail is sent for an attachment creation (processmail).
  • Bug 69533 - Added HP-UX to the OS auto detection (enter_bug.cgi).
  • Bug 69616 - Made the footer not imply admins had the ability to “Edit Sanity Check”. You actually run sanity checks, not edit them.
  • Bug 71664 - Fixed sanity check so it doesn’t complain about a bad keyword cache on a bug that does not exist, as the error is detected elsewhere, and it can’t be fixed automatically like other bad keyword cache problems (sanitycheck.cgi).
  • Bug 73959 - Fixed some pages not displaying the “Show Votes” link in the footer (buglist.cgi and attachment.cgi).
  • Bug 75840 - Made ‘syncshadowdb’ shut down Bugzilla when it runs, and accept a parameter for an alternative temporary directory.
  • Bug 76161 - Made the ‘resolve as duplicate’ action not select the radio button when exiting empty an duplicate bug number field (show_bug.cgi).
  • Bug 76714 - Fixed the incorrect nesting of FORM and TABLE elements in the footer.
  • Bug 76140 - Added more referential sanity checks, plus sanity checking the existence of default milestones (sanitycheck.cgi).
  • Bug 82809 - Made comments in bugs no longer use where the linefeeds should be.
  • Bug 83058 - Added ability to hide resolved bugs and limit depth to the dependency tree (dependencytree.cgi).
  • Bug 83474 - Fixed sanity check so the tables get unlocked properly when rebuilding the keyword cache, if there were no keywords to rebuild (sanitycheck.cgi)
  • Bug 84338 - Added attachment tracker (attachment.cgi and editattachstatuses.cgi).
  • Bug 87818 - Added support for HTML tag for buglists (buglist.cgi and show_bug.cgi).
  • Bug 90333 - Made Bugzilla give an appropriate error message if a user tries to mass change when no bugs are selected to change (process_bug.cgi).
  • Bug 91486 - Added a “changed from” option to the boolean charts (query.cgi).
  • Bug 91808 - Added sanity checks to make sure the resolution is DUPLICATE if and only if there is an entry on the duplicates table (sanitycheck.cgi).
  • Bug 93006 - Made the mass change page auto-select the correct radio button (buglist.cgi).
  • Bug 93388 - Made full name be trimmed of whitespace before going into database.
  • Bug 95060 - Corrected instructions on how to vote, regarding using checkboxes as opposed to textboxes where only one vote is allowed.
  • Bug 96534 - Made performance improvements of Javascript on the query page (query.cgi).
  • Bug 96603 - Fixed a grammatical error on bug_status.html.
  • Bug 97185 - Made make_select add a newline after each option in the source.
  • Bug 97588 - Made “localconfig” mention access.conf for old Apache servers.
  • Bug 97657 - Made the sillyness sub be called defparams_pl_sillyness in defparams.pl.
  • Bug 97721 - Added check to ensure Perl is at least version 5.005, and Template Toolkit dependencies are fulfilled (checksetup.pl).
  • Bug 97764 - Made the attachment tracker not send mail to people about their own changes who didn’t want to receive their own changes.
  • Bug 97784 - Made comments in attachment update form get properly word-wrapped (server side).
  • Bug 97877 - Made the changed* operators work for attachment statuses on the boolean charts (query.cgi).
  • Bug 97971 - Added sanity checks to check that there is a non-open status if and only if there is a resolution, the status is UNCONFIRMED only if everconfirmed is 0, and that bugs that have enough votes to be confirmed have been.
  • Bug 97976 - Testing suite. Partial checkins.
  • Bug 98074 - Made the attachment tracker properly HTML escape bug titles.
  • Bug 98095 - Made importxml.pl pass tests in the testing suite.
  • Bug 98146 - Made doeditvotes.cgi give a safer error message if login information is bad.
  • Bug 98468 - Made the default “emailregexp” parameter not accept blank emails.
  • Bug 99465 - Added FreeBSD to the OS auto detection (enter_bug.cgi).
  • Bug 99716 - Made query for “attachment is obsolete” and on attachment status work.
  • Bug 100490 - Made QuickSearch give a better error message when Javascript is off.
  • Bug 101056 - Prevented incorrect error messages when editing an attachment if you needed to log in first.
  • Bug 101659 - Added email suffix (where applicable) to the component owner mailto tag.
  • Bug 102032 - Fixed test errors and warnings in CVS.
  • Bug 103121 - Made editusers.cgi include ‘add user’ links.
  • Bug 103554 - Made the HTML generated by the PutHeader and GetCommandMenu subroutines validate as HTML 4.01.
  • Bug 103592 - Made email addresses that are longer than 30 characters be truncated in the bug list, to reduce column size.
  • Bug 104105 - Made a cosmetic change to the login page to make it obvious that you can create an account.
  • Bug 104117 - Fixed the edit keywords (editkeywords.cgi) link on footer broken as a result of the fix for bug 103554.
  • Bug 104180 - Made   not be used in the URL for a saved query with a space. It should only be used in the display of the query.
  • Bug 104247 - Made colours in bug lists work again (buglist.cgi).
  • Bug 104516 - Removed all TAB characters from source code.
18. October 2001

Website Redesigned

by Bugzilla Team

In an effort to provide better communication about just what’s going on, and to make Bugzilla more accessible, we’ve redesigned the Bugzilla project pages to try to make the information more useful and help people find things.

One of the major new features of the site is the Status Updates section, which contains a (pretty lengthly) discussion of everything that’s gone into Bugzilla so far since version 2.14 was released. This will be a regularly updated column with a new update every week or two (so they won’t all be as lengthly as the first one).

Like our new logo in the header above? I don’t, but I’m a crappy artist, and we have yet to have anything else submitted. If you have an idea for our logo, please visit bug 100095.

29. August 2001

Bugzilla 2.14 Released!

by Bugzilla Team

The Bugzilla team has been hard at work to bring you Bugzilla 2.14 which offeres many new improvements, including upgrades to the security group system, the death of oldemailtech, and the addition of a “X-Bugzilla-Reason” in the headers of bug mail which users can use to filter bug mail into folders depending on if they are the assignee, cc, qa contact, etc…

View the release notes and the security advisory.

For changes between 2.12 and 2.14, view the Bugzilla changelog.