From gerv at mozilla.org Mon Aug 17 09:23:22 2015 From: gerv at mozilla.org (Gervase Markham) Date: Mon, 17 Aug 2015 10:23:22 +0100 Subject: Bugzilla assessment Message-ID: <55D1A80A.8050203@mozilla.org> Hi Fortify team, You tried to send your security assessment of Bugzilla 5 to our Support mailing list rather than our development team. That would have been a bit bad, because it's a public list. Fortunately, the list scrubs attachments, so your report did not become public. If you have a report for us, please send it to security at bugzilla.org. Thanks :-) Gerv From gerv at mozilla.org Tue Aug 18 17:01:15 2015 From: gerv at mozilla.org (Gervase Markham) Date: Tue, 18 Aug 2015 18:01:15 +0100 Subject: .htaccess problems Message-ID: Hi everyone, What do we do about the mess that is .htaccess files? Way back when, it was decided that we should autogenerate these rather than just ship them, because some of them lived in directories which were also auto-created rather than shipped. https://bugzilla.mozilla.org/show_bug.cgi?id=76154 Now we have a problem because they need to be upgraded due to an Apache permissions syntax change, otherwise things stop working with a hard-to-diagnose error when someone upgrades their Apache (or moves an installation from one machine to another, or upgrades their OS, or something else). Ideally, we would do this automatically. However, it's not easy, for a number of reasons. Firstly, we don't ship the files in our repo. And we can't move to doing so because AIUI, any "git pull" which contained .htaccess files, run on a current Bugzilla, would die with a "you have files in the way" problem. Secondly, the user may have edited the .htaccess files, perhaps because their access control setup is complex. My proposal is to get checksetup.pl to check the Apache version and whether the person is using mod_perl and if so, which version, and any other variables which might be relevant. If their .htaccess files are unchanged and they are using the wrong permissions syntax, replace the files with the right ones. If they have changed the files and are using the wrong permissions syntax, output a warning so they can fix it themselves. Does that sound OK? LpSolit doesn't like this idea because it requires checksetup.pl to know all the previous standard contents of .htaccess files, so it knows if they have been changed or not. That's only one set of contents now, but I suppose it could be more later. Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From jochen.wiedmann at gmail.com Wed Aug 19 05:30:55 2015 From: jochen.wiedmann at gmail.com (Jochen Wiedmann) Date: Wed, 19 Aug 2015 07:30:55 +0200 Subject: .htaccess problems In-Reply-To: References: Message-ID: On Tue, Aug 18, 2015 at 7:01 PM, Gervase Markham wrote: > My proposal is to get checksetup.pl to check the Apache version and > whether the person is using mod_perl and if so, which version, and any > other variables which might be relevant. How do you propose to do that? Also keep in mind, that there are still other HTTP servers out there. Jochen -- Any world that can produce the Taj Mahal, William Shakespeare, and Stripe toothpaste can't be all bad. (C.R. MacNamara, One Two Three) From gerv at mozilla.org Wed Aug 19 08:27:18 2015 From: gerv at mozilla.org (Gervase Markham) Date: Wed, 19 Aug 2015 09:27:18 +0100 Subject: .htaccess problems In-Reply-To: References: Message-ID: <55D43DE6.2030903@mozilla.org> On 19/08/15 06:30, Jochen Wiedmann wrote: >> My proposal is to get checksetup.pl to check the Apache version and >> whether the person is using mod_perl and if so, which version, and any >> other variables which might be relevant. > > How do you propose to do that? Also keep in mind, that there are still > other HTTP servers out there. So .htaccess is a cross-server standard? Have they all agreed to this change in syntax for defining how access control works, then? We don't seem to have had issues with our .htaccess files not being cross-server compatible in the past. Gerv From jochen.wiedmann at gmail.com Wed Aug 19 10:41:19 2015 From: jochen.wiedmann at gmail.com (Jochen Wiedmann) Date: Wed, 19 Aug 2015 12:41:19 +0200 Subject: .htaccess problems In-Reply-To: <55D43DE6.2030903@mozilla.org> References: <55D43DE6.2030903@mozilla.org> Message-ID: On Wed, Aug 19, 2015 at 10:27 AM, Gervase Markham wrote: > > So .htaccess is a cross-server standard? Have they all agreed to this > change in syntax for defining how access control works, then? My point is, that detecting the httpd version should include something like "Not Apache at all", in which case generation of .htaccess files ought to be suppressed at all. Jochen -- Any world that can produce the Taj Mahal, William Shakespeare, and Stripe toothpaste can't be all bad. (C.R. MacNamara, One Two Three) From gerv at mozilla.org Wed Aug 19 12:19:15 2015 From: gerv at mozilla.org (Gervase Markham) Date: Wed, 19 Aug 2015 13:19:15 +0100 Subject: .htaccess problems In-Reply-To: References: <55D43DE6.2030903@mozilla.org> Message-ID: <55D47443.6040005@mozilla.org> On 19/08/15 11:41, Jochen Wiedmann wrote: > My point is, that detecting the httpd version should include something > like "Not Apache at all", in which case generation of .htaccess files > ought to be suppressed at all. That sounds like a much larger issue than this one. Bugzilla's .htaccess files have assumed Apache syntax (that's what the definition is - see https://en.wikipedia.org/wiki/.htaccess#Format ) and I see no reason why they shouldn't continue to do so. Gerv From lpsolit at gmail.com Wed Aug 19 12:22:47 2015 From: lpsolit at gmail.com (=?UTF-8?B?RnLDqWTDqXJpYyBCdWNsaW4=?=) Date: Wed, 19 Aug 2015 14:22:47 +0200 Subject: .htaccess problems In-Reply-To: References: <55D43DE6.2030903@mozilla.org> Message-ID: <55D47517.5070208@gmail.com> Le 19. 08. 15 12:41, Jochen Wiedmann a ?crit : > My point is, that detecting the httpd version should include something > like "Not Apache at all", in which case generation of .htaccess files > ought to be suppressed at all. If you don't use Apache, you can already disable the creation of .htaccess from localconfig. Just set $create_htaccess = 0. LpSolit From gerv at mozilla.org Thu Aug 27 23:33:43 2015 From: gerv at mozilla.org (Gervase Markham) Date: Thu, 27 Aug 2015 16:33:43 -0700 Subject: Remove approval requirement for trunk? Message-ID: I'd like to propose we remove the approval requirement for trunk. LpSolit said the last time he can remember anyone a-minusing a patch for trunk was where the feature wasn't actually wanted, and no-one had bothered to point this out, and it was quite a few years ago. If we instead had some sort of last resort "the project lead can request a backout of a trunk feature if he decides it's not actually wanted" power, and expect that power to be used about once every 5 years, would that be enough to eliminate this extra bureaucratic step? The one exception, I suggest, would be for patches which touch the DB, which can not be so easily backed out. Those would continue to require approval from an approver. Approval would also remain in place for stable branches, where approvers are supposed to weigh the importance of the patch against the risk to stability. What do you all think? Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From justdave at bugzilla.org Fri Aug 28 00:33:07 2015 From: justdave at bugzilla.org (Dave Miller) Date: Thu, 27 Aug 2015 20:33:07 -0400 Subject: Remove approval requirement for trunk? In-Reply-To: References: Message-ID: <33385303-E4AC-4253-8DCB-938285F4D7BD@bugzilla.org> I like this idea. I'm pretty sure we trust the folks with review permissions these days, and like you said, a- on trunk is rare. On August 27, 2015 7:33:43 PM EDT, Gervase Markham wrote: >I'd like to propose we remove the approval requirement for trunk. > >LpSolit said the last time he can remember anyone a-minusing a patch >for >trunk was where the feature wasn't actually wanted, and no-one had >bothered to point this out, and it was quite a few years ago. > >If we instead had some sort of last resort "the project lead can >request >a backout of a trunk feature if he decides it's not actually wanted" >power, and expect that power to be used about once every 5 years, would >that be enough to eliminate this extra bureaucratic step? > >The one exception, I suggest, would be for patches which touch the DB, >which can not be so easily backed out. Those would continue to require >approval from an approver. > >Approval would also remain in place for stable branches, where >approvers >are supposed to weigh the importance of the patch against the risk to >stability. > >What do you all think? > >Gerv >_______________________________________________ >dev-apps-bugzilla mailing list >dev-apps-bugzilla at lists.mozilla.org >https://lists.mozilla.org/listinfo/dev-apps-bugzilla >- >To view or change your list settings, click here: > -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: