From gerv at mozilla.org Mon Jul 6 13:18:14 2015 From: gerv at mozilla.org (Gervase Markham) Date: Mon, 6 Jul 2015 14:18:14 +0100 Subject: Replicating a Bugzilla database structure Message-ID: Let's say you want to make a copy of a Bugzilla database's structure - i.e. all the data and configuration (products, components etc.), but not the bugs or attachments. This is handy if you are setting up a test system for a production server with a large databsae. Try this (with appropriate auth credentials): # Extract table structure but no data at all mysqldump -u bugzilla -p --add-drop-database --add-drop-table --no-data bugzilla > skeleton.db # Extract table data of all tables except those relating to bugs and attachments and other temporary stuff mysqldump -u bugzilla -p --no-create-info --ignore-table=bugzilla.attachments --ignore-table=bugzilla.attach_data --ignore-table=bugzilla.bug_group_map --ignore-table=bugzilla.bug_see_also --ignore-table=bugzilla.bug_tag --ignore-table=bugzilla.bugs --ignore-table=bugzilla.bugs_activity --ignore-table=bugzilla.bugs_fulltext --ignore-table=bugzilla.cc --ignore-table=bugzilla.dependencies --ignore-table=bugzilla.duplicates --ignore-table=bugzilla.flags --ignore-table=bugzilla.keywords --ignore-table=bugzilla.longdescs --ignore-table=bugzilla.series_data --ignore-table=bugzilla.votes --ignore-table=bugzilla.audit_log bugzilla > data.db Then send the two files you've created back to mysql, in the order you created them. Hope this helps someone. If you know a better way of doing this, do post it. Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From glob at mozilla.com Wed Jul 8 05:28:35 2015 From: glob at mozilla.com (Byron Jones) Date: Wed, 08 Jul 2015 13:28:35 +0800 Subject: taking a break from the bugzilla project Message-ID: <559CB503.5000302@mozilla.com> i am taking a break from my roles in the bugzilla project. i will still be an active member of the community but i won't be an approver nor a suggested review for patches. why? the short answer to that is i don't have the time i need to put towards the bugzilla project anymore. now that i'm employed to work full time on bugzilla.mozilla.org my desire to work on "upstream" bugzilla during my spare time is lacking. i'm taking this break to allow me to focus more on my paid work, as well as to free up more time for my family. -glob -- byron jones - :glob - bugzilla.mozilla.org team lead - _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From gerv at mozilla.org Wed Jul 8 05:38:30 2015 From: gerv at mozilla.org (Gervase Markham) Date: Wed, 8 Jul 2015 06:38:30 +0100 Subject: taking a break from the bugzilla project In-Reply-To: <559CB503.5000302@mozilla.com> References: <559CB503.5000302@mozilla.com> Message-ID: <559CB756.3050807@mozilla.org> Hey glob, On 08/07/15 06:28, Byron Jones wrote: > i am taking a break from my roles in the bugzilla project. > i will still be an active member of the community but i won't be an > approver nor a suggested review for patches. I'm sure I speak for everyone when I say that we're extremely grateful for all your hard work on Bugzilla - both BMO and upstream. Bugzilla 5.0 is a great product, in significant part due to you. We would be very sad to lose you permanently, but please take all the time you need. Gerv From justdave at bugzilla.org Thu Jul 9 15:18:55 2015 From: justdave at bugzilla.org (Dave Miller) Date: Thu, 09 Jul 2015 11:18:55 -0400 Subject: taking a break from the bugzilla project In-Reply-To: <559CB756.3050807@mozilla.org> References: <559CB503.5000302@mozilla.com> <559CB756.3050807@mozilla.org> Message-ID: <559E90DF.1060900@bugzilla.org> Gervase Markham wrote: > On 08/07/15 06:28, Byron Jones wrote: >> > i am taking a break from my roles in the bugzilla project. >> > i will still be an active member of the community but i won't be an >> > approver nor a suggested review for patches. > > I'm sure I speak for everyone when I say that we're extremely grateful > for all your hard work on Bugzilla - both BMO and upstream. Bugzilla 5.0 > is a great product, in significant part due to you. We would be very sad > to lose you permanently, but please take all the time you need. What Gerv said in spades! Thanks for all your help! -- Dave Miller http://www.justdave.net/ IT Infrastructure Engineer, Mozilla http://www.mozilla.org/ Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/ From gerv at mozilla.org Mon Jul 27 10:57:23 2015 From: gerv at mozilla.org (Gervase Markham) Date: Mon, 27 Jul 2015 11:57:23 +0100 Subject: Taint mode Message-ID: At the last Bugzilla meeting, we discussed turning off taint mode, as it's a performance hit, keeps breaking 3rd party modules and provides marginal value now that we use placeholders properly and template escaping. Someone said a bug had been opened: is that right? Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From bbaetz at gmail.com Mon Jul 27 11:20:04 2015 From: bbaetz at gmail.com (Bradley Baetz) Date: Mon, 27 Jul 2015 11:20:04 +0000 Subject: Taint mode In-Reply-To: References: Message-ID: /delurk What is the measurable performance impact? Any idea whether its in a specific bit of code or more general? The goal of taint mode is to track stuff that we don't know about. When I added taint mode (way too long ago...) we found a huge number of security issue, and that was *after* doing audits for problem categories. I'm sure that its better now, but its better to be safe than sorry.... It should just be a check of a single magic bit in the perl code, although since Perl isn't really my focus nowdays I could be wrong... Bradley On Mon, 27 Jul 2015 at 21:00 Gervase Markham wrote: > At the last Bugzilla meeting, we discussed turning off taint mode, as > it's a performance hit, keeps breaking 3rd party modules and provides > marginal value now that we use placeholders properly and template escaping. > > Someone said a bug had been opened: is that right? > > Gerv > _______________________________________________ > dev-apps-bugzilla mailing list > dev-apps-bugzilla at lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-apps-bugzilla > - > To view or change your list settings, click here: > > _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From lpsolit at gmail.com Mon Jul 27 12:50:25 2015 From: lpsolit at gmail.com (=?UTF-8?B?RnLDqWTDqXJpYyBCdWNsaW4=?=) Date: Mon, 27 Jul 2015 14:50:25 +0200 Subject: Taint mode In-Reply-To: References: Message-ID: <55B62911.5020705@gmail.com> Le 27. 07. 15 12:57, Gervase Markham a ?crit : > At the last Bugzilla meeting, we discussed turning off taint mode, as > it's a performance hit, keeps breaking 3rd party modules and provides > marginal value now that we use placeholders properly and template escaping. It's a performance hit based on which benchmarks? I suppose none has been run against Bugzilla. If benchmarks have been run against Bugzilla, then the results should be made public. For instance, Foswiki said that they see a 10% boost with their code with taint mode disabled: http://foswiki.org/Development.RemoveTaintCheckingFromFoswiki First of all, I would say that a 10% performance penalty is not that much when talking about security. I don't know which 3rd-party modules you are talking about, but we certainly don't "keep breaking" them. I have been involved long enough to know that it's not true. Secondly, about the use of placeholders and template escaping: we still catch "insecure dependency" problems from time to time, thanks to tainting being enabled. I agree, this is much less frequent than in the past. But Search.pm doesn't use placeholders for its queries, so a SQL code injection there would be annoying. Each new release contains new code and this code is certainly not safer than previous code. Humans still do errors in 2015. This is even more true now that Bugzilla has an API which lets users interact with it remotely. It's a new way to attack Bugzilla. Sure, the taint mode doesn't make your code 100% safe, but it's one built-in security feature that Perl has which we should use. And assuming you plan to only turn off tainting on production installations, how would you keep it enabled in development environments? You cannot simply turn a bit on/off. This is an important point to consider. To summarize: wanting to turn off the taint mode solely to make the code faster is a mistake. In that case, there are better ways to make your code much faster: replace Template Toolkit by Xslate. So I share the same feeling as bbaetz here. > Someone said a bug had been opened: is that right? For bmo only: https://bugzilla.mozilla.org/show_bug.cgi?id=1186416 LpSolit From gerv at mozilla.org Mon Jul 27 11:07:05 2015 From: gerv at mozilla.org (Gervase Markham) Date: Mon, 27 Jul 2015 12:07:05 +0100 Subject: Taint mode Message-ID: At the last Bugzilla meeting, we discussed turning off taint mode, as it's a performance hit, keeps breaking 3rd party modules and provides marginal value now that we use placeholders properly and template escaping. It also means we could use /usr/bin/env in the #! line, which is advantageous for people whose Perl is in a non-standard place. Someone said a bug had been opened: is that right? Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From gerv at mozilla.org Tue Jul 28 09:08:00 2015 From: gerv at mozilla.org (Gervase Markham) Date: Tue, 28 Jul 2015 10:08:00 +0100 Subject: Taint mode In-Reply-To: <55B62911.5020705@gmail.com> References: <55B62911.5020705@gmail.com> Message-ID: <55B74670.6000809@mozilla.org> On 27/07/15 13:50, Fr?d?ric Buclin wrote: > It's a performance hit based on which benchmarks? I agree we do need to run some, and I believe Dylan said he would. But based on the experience of other people. > First of all, I would say that a 10% performance penalty is not that > much when talking about security. A 10% performance penalty is a lot when talking about anything. > I don't know which 3rd-party modules > you are talking about, but we certainly don't "keep breaking" them. I > have been involved long enough to know that it's not true. DateTime::TimeZone has broken at least once and possibly twice now because they don't test with taint. > Secondly, about the use of placeholders and template escaping: we still > catch "insecure dependency" problems from time to time, thanks to > tainting being enabled. I agree, this is much less frequent than in the > past. But Search.pm doesn't use placeholders for its queries, so a SQL > code injection there would be annoying. One option might be to use a different method of enabling taint mode (environment var?) so that people can enable it for development and disable it for production. > Each new release contains new code and this code is certainly not safer > than previous code. Humans still do errors in 2015. I agree. The question is: how many of those errors does taint mode actually catch? When was the last time you got a taint error, and it actually turned out to be a potential security problem, as opposed to e.g. running something through detaint_natural before making it the placeholder value in an SQL query, which would be safe anyway? Gerv From mcote at bugzilla.org Wed Jul 29 14:25:41 2015 From: mcote at bugzilla.org (=?UTF-8?B?TWFyayBDw7R0w6k=?=) Date: Wed, 29 Jul 2015 10:25:41 -0400 Subject: Bugzilla 4.2 will be EOL on 2015/11/30 Message-ID: <55B8E265.5010201@bugzilla.org> As discussed on the Bugzilla developers mailing list/newsgroup[1] and confirmed by project leads, Bugzilla's new release policy is to end-of-life the oldest major version four months after a new major release. Since this is the first time we're enacting this policy, we've extended the date to be 4 months from today rather than from Bugzilla 5.0's exact release date (July 7th). Thus Bugzilla 4.2 will be end-of-lifed on 30 November 2015. This means no fixes of any kind will be issued for Bugzilla 4.2 from that date onwards. As usual, all Bugzilla admins are encouraged to upgrade[2] to the latest version of Bugzilla as soon as possible, especially those running 4.2 or earlier. Mark C?t? Assistant Project Lead, Bugzilla [1] https://groups.google.com/forum/#!topic/mozilla.dev.apps.bugzilla/vBGTf7SvOWg [2] https://bugzilla.readthedocs.org/en/5.0/installing/upgrading.html From gerv at mozilla.org Wed Jul 29 16:24:28 2015 From: gerv at mozilla.org (Gervase Markham) Date: Wed, 29 Jul 2015 17:24:28 +0100 Subject: Bugzilla 4.2 will be EOL on 2015/11/30 In-Reply-To: <55B8E265.5010201@bugzilla.org> References: <55B8E265.5010201@bugzilla.org> Message-ID: <55B8FE3C.5040307@mozilla.org> Hi Mark, On 29/07/15 15:25, Mark C?t? wrote: > Thus Bugzilla 4.2 will be end-of-lifed on 30 November 2015. This means > no fixes of any kind will be issued for Bugzilla 4.2 from that date > onwards. As usual, all Bugzilla admins are encouraged to upgrade[2] to > the latest version of Bugzilla as soon as possible, especially those > running 4.2 or earlier. Thanks for arranging this announcement. :-) Can we get it up on http://www.bugzilla.org/ and https://bugzillaupdate.wordpress.com/? :-) Who would be able to do that? Thanks, Gerv From dkl at mozilla.com Wed Jul 29 16:29:12 2015 From: dkl at mozilla.com (David Lawrence) Date: Wed, 29 Jul 2015 12:29:12 -0400 Subject: Bugzilla 4.2 will be EOL on 2015/11/30 In-Reply-To: <55B8FE3C.5040307@mozilla.org> References: <55B8E265.5010201@bugzilla.org> <55B8FE3C.5040307@mozilla.org> Message-ID: <55B8FF58.3070706@mozilla.com> I can handle both of these. dkl Gervase Markham wrote: > Hi Mark, > > On 29/07/15 15:25, Mark C?t? wrote: >> Thus Bugzilla 4.2 will be end-of-lifed on 30 November 2015. This means >> no fixes of any kind will be issued for Bugzilla 4.2 from that date >> onwards. As usual, all Bugzilla admins are encouraged to upgrade[2] to >> the latest version of Bugzilla as soon as possible, especially those >> running 4.2 or earlier. > > Thanks for arranging this announcement. :-) > > Can we get it up on http://www.bugzilla.org/ and > https://bugzillaupdate.wordpress.com/? :-) Who would be able to do that? > > Thanks, > > Gerv > > - > To view or change your list settings, click here: > -- David Lawrence dkl at mozilla.com From mcote at mozilla.com Wed Jul 29 16:27:53 2015 From: mcote at mozilla.com (=?UTF-8?B?TWFyayBDw7R0w6k=?=) Date: Wed, 29 Jul 2015 12:27:53 -0400 Subject: Bugzilla 4.2 will be EOL on 2015/11/30 In-Reply-To: References: <55B8E265.5010201@bugzilla.org> Message-ID: On 2015-07-29 12:24 PM, Gervase Markham wrote: > Hi Mark, > > On 29/07/15 15:25, Mark C?t? wrote: >> Thus Bugzilla 4.2 will be end-of-lifed on 30 November 2015. This means >> no fixes of any kind will be issued for Bugzilla 4.2 from that date >> onwards. As usual, all Bugzilla admins are encouraged to upgrade[2] to >> the latest version of Bugzilla as soon as possible, especially those >> running 4.2 or earlier. > > Thanks for arranging this announcement. :-) > > Can we get it up on http://www.bugzilla.org/ and > https://bugzillaupdate.wordpress.com/? :-) Who would be able to do that? I'm going to reword it slightly (adding a bit about the overall EOL scheme we're now using) before sending to announce at bugzilla.org. I can put it up on the blog as well. Perhaps justdave or dkl can add it to the site. Mark _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla