Apache switching to Scarab

Gervase Markham gerv at mozilla.org
Fri Jul 25 07:06:12 UTC 2003 

Myk Melez wrote:
> Apache seems to want to switch to Scarab from Bugzilla.  Anyone have a 
> connection there who can find out why?  If it's for the wrong reasons, 
> we should correct them.  If it's for good reasons, we should find out, 
> as it might help us make Bugzilla better (or at least understand the 
> needs out there more).

There's one main reason - the lovable John Scott Stevens, a Scarab lead 
developer and occasional troll in n.p.m.webtools, is an Apache 
Foundation member.

I had an email exchange with him a while ago on this exact matter. See 
below. While Jon's comments aren't particularly constructive (and I'm 
afraid I rose to his bait), the reply from Pier Fumagalli, their admin, 
is more enlightening.

Basically, they are set on using Scarab, and we probably won't be able 
to change their minds. The reasons are:

- apache.org once got hacked via an insecure Bugzilla
- Jon, lead developer on Scarab, is a member of the ASF
- None of them understand Perl
- They can get changes made quicker because the people are closer to
   them

As a sidenote, Scarab is still in beta, 18 months after the original 
beta release. The wisdom of the Loginataka says:

"The Rite of the Rewrite is not the only Path to Mastery, but it is 
perhaps the highest and most Sacred of all Paths. Few indeed are those 
who, travelling it, have crossed the dark and yawning Abyss of 
Implementation to Delivery. Many, yea, many in truth stagnate yet in the 
Desert of Delay, or linger ever in the ghastly limbo called Perpetual Beta."
http://www.catb.org/~esr/faqs/loginataka.html

Gerv



-------- Original Message --------
Subject: ASF's Bugzilla
Date: Thu, 06 Feb 2003 07:47:36 +0000
From: Gervase Markham <gerv at mozilla.org>
Organization: mozilla.org
To: bugzilla at apache.org

Hi,

I am writing a presentation on "Advanced Bugzilla Use" for FOSDEM
(http://www.fosdem.org) and was looking around the Bugzillas of a number
of high-profile organisations. I noticed a couple of things about your
Bugzilla.

- You are using 2.14.2. You may know that the 2.14 branch of Bugzilla
became unsupported as of the New Year (this fact was widely trailed for
a long time and advertised on the announce list and the Bugzilla status
updates.)

- You are evaluating Scarab as a possible next-generation bug tracker.

I would be interested to know what deficiences you found in Bugzilla
which made you think that moving to Scarab would be necessary? We'd very
much like to know, because then we may be able to rectify them - for
other people, even if not for you :-) Forgive me if you've already filed
them in our Bugzilla instance - I haven't noticed them.

But, notwithstanding that, Bugzilla has made great leaps and bounds in
features and usability since 2.14 was released nearly 18 months ago. We
try very hard to make upgrading a painless process, and you do not seem
to have customised your Bugzilla to a great extent, so upgrading should
be fine. Even if you are evaluating another tracker in the long term,
given that 2.14 is no longer supported, would you consider an upgrade? I
would be happy to assist with this process.

Please let me know if I can help you in any way.

Gerv



-------- Original Message --------
Subject: Re: ASF's Bugzilla
Date: Thu, 06 Feb 2003 19:30:55 -0800
From: Jon Scott Stevens <jon at latchkey.com>
To: Pier Fumagalli <pier at apache.org>, Gervase Markham <gerv at mozilla.org>

LOL!

     http://mozilla.org/projects/bugzilla/security/2.16.1/

=)

-jon



-------- Original Message --------
Subject: Re: ASF's Bugzilla
Date: Fri, 07 Feb 2003 08:22:05 +0000
From: Gervase Markham <gerv at mozilla.org>
Organization: mozilla.org
To: Jon Scott Stevens <jon at latchkey.com>
CC: Pier Fumagalli <pier at apache.org>
References: <BA68686F.4DE4D%jon at latchkey.com>

Jon Scott Stevens wrote:
 > LOL!
 >
 >     http://mozilla.org/projects/bugzilla/security/2.16.1/

As always, working with Jon is a pleasure. Although I would perhaps
point out that "The default .htaccess scripts do not block access to
backups created by editors such as vi or emacs" is not your most
Internet-destroying security vulnerability. And might perhaps suggest
that the reason Scarab has had no security issues yet is because no-one
is using it...

By the way, congratulations on reaching the first anniversary of your
initial beta release. Even by Mozilla standards, that's pretty good
going. Hope you make it out of beta soon. :-)

Gerv





-------- Original Message --------
Subject: Re: ASF's Bugzilla
Date: Fri, 07 Feb 2003 03:38:24 -0800
From: Jon Scott Stevens <jon at latchkey.com>
To: Gervase Markham <gerv at mozilla.org>
CC: Pier Fumagalli <pier at apache.org>

on 2003/2/7 12:22 AM, "Gervase Markham" <gerv at mozilla.org> wrote:

 > As always, working with Jon is a pleasure. Although I would perhaps
 > point out that "The default .htaccess scripts do not block access to
 > backups created by editors such as vi or emacs" is not your most
 > Internet-destroying security vulnerability.

Doesn't matter. A security hole report for almost every release is pretty
pathetic and shows a fundamental design problem with Bugzilla.

 > And might perhaps suggest
 > that the reason Scarab has had no security issues yet is because no-one
 > is using it...

Ah...that is where you are wrong. There is so much you don't know, but that
is ok.

 > By the way, congratulations on reaching the first anniversary of your
 > initial beta release. Even by Mozilla standards, that's pretty good
 > going. Hope you make it out of beta soon. :-)

Version numbers mean nothing. Look at MySQL, their alpha/gamma releases are
as high quality as every other of their releases.

-jon

-- 
StudioZ.tv /\ Bar/Nightclub/Entertainment
314 11th Street @ Folsom /\ San Francisco
         http://studioz.tv/





-------- Original Message --------
Subject: Re: ASF's Bugzilla
Date: Fri, 07 Feb 2003 02:51:44 +0000
From: Pier Fumagalli <pier at apache.org>
To: Gervase Markham <gerv at mozilla.org>, <bugzilla at apache.org>,   Jon 
Scott Stevens <jon at latchkey.com>

On 6/2/03 7:47, "Gervase Markham" <gerv at mozilla.org> wrote:

 > Hi,
 >
 > I am writing a presentation on "Advanced Bugzilla Use" for FOSDEM
 > (http://www.fosdem.org) and was looking around the Bugzillas of a number
 > of high-profile organisations. I noticed a couple of things about your
 > Bugzilla.
 >
 > - You are using 2.14.2. You may know that the 2.14 branch of Bugzilla
 > became unsupported as of the New Year (this fact was widely trailed for
 > a long time and advertised on the announce list and the Bugzilla status
 > updates.)

Hmmm... Good... Then it's time to switch...

 > - You are evaluating Scarab as a possible next-generation bug tracker.

No, we're not evaluating it... We're _going_ to use it...

 > I would be interested to know what deficiences you found in Bugzilla
 > which made you think that moving to Scarab would be necessary? We'd very
 > much like to know, because then we may be able to rectify them - for
 > other people, even if not for you :-) Forgive me if you've already filed
 > them in our Bugzilla instance - I haven't noticed them.

Oh, it's simple... None of us understands Perl well enough, and Scarab was
actually built by people involved with the Apache community (so, it's easier
to flame someone you know when stuff doesn't work, and actually, we even
have better roundtrip times, as the people who wrote scarab also have the
rights to administer it, upgrade it, tweak it, whatever, on the live
install)...

 > But, notwithstanding that, Bugzilla has made great leaps and bounds in
 > features and usability since 2.14 was released nearly 18 months ago. We
 > try very hard to make upgrading a painless process, and you do not seem
 > to have customised your Bugzilla to a great extent, so upgrading should
 > be fine. Even if you are evaluating another tracker in the long term,
 > given that 2.14 is no longer supported, would you consider an upgrade? I
 > would be happy to assist with this process.

Seriously, not really, of course unless you don't break into my system and
take the whole bugs db down... :-)

Scarab to some extent is our own dogfood, and we have much more control (and
knowledge) onto it, so the switch is already decided. We're going to do
it...

 > Please let me know if I can help you in any way.

Jon, the main author of Scarab and member of the Apache Software Foundation
is in CC...

     Pier

More information about the developers mailing list