From jmcdonal at redhat.com Thu Oct 1 01:00:26 2015 From: jmcdonal at redhat.com (Jason Mcdonald) Date: Thu, 1 Oct 2015 11:00:26 +1000 Subject: Bugzilla Meeting times In-Reply-To: References: Message-ID: <560C85AA.2070605@redhat.com> On 30/09/15 19:20, Gervase Markham wrote: > Hi everyone, > > It's possible the current time-of-day of the Bugzilla meetings do not > work well for everyone who might like to attend. If you have an interest > in attending, each time or even sometimes, please can you reply to this > message giving your location and timezone, and I can see if there's a > happy medium which works for everyone? :-) Brisbane, UTC+10 all year (no daylight saving time here as our politicians think that the extra hour of sunlight will fade their curtains). Cheers, -- Jason McDonald Senior Software Engineer, Red Hat Asia Pacific, Brisbane, Australia _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From jmcdonal at redhat.com Fri Oct 2 01:32:22 2015 From: jmcdonal at redhat.com (Jason Mcdonald) Date: Fri, 2 Oct 2015 11:32:22 +1000 Subject: Offering full attachment isolation to Bugzilla installations In-Reply-To: References: Message-ID: <560DDEA6.3040104@redhat.com> On 29/09/15 20:41, Gervase Markham wrote: > Hi everyone, > > Over the years, Bugzilla has been beefing up its attempts to avoid > problems caused by the fact that attachments can be uploaded by > untrustworthy people, and yet those attachments often have to be > rendered in the browser - particularly for Bugzillas used for browser > development, like BMO. > > First of all, we moved attachments to their own domain, using the > attachmentbase parameter. This stops attachments from being able to > access a user's Bugzilla cookies and credentials. It was even possible > to give each attachment its own subdomain using wildcards, e.g. > bz12345.bmoattachments.org. However, there are some issues that this > still doesn't prevent, where attachments can do things to other > attachments, which is allowed by the Same Origin Policy because > bmoattachments.org is all one origin. > > In order to get full isolation in modern browsers, you need to host your > attachments at one hostname per bug, on a domain which is in the Public > Suffix List - http://publicsuffix.org/ . That way, attachments on > bug12345.bmoattachments.org cannot access or do anything to attachments > on bug54321.bmoattachments.org. The domain "bmoattachments.org" has been > added to the PSL for BMO to use for precisely this. > > However, that leaves everyone else who runs a Bugzilla having to arrange > for their own specially-registered domain to be added to the PSL, in > order for them to get the same level of security. As the PSL takes some > time to update and propagate to all browsers, this is a pain. > > Therefore, my plan is to register the domain "bzattachments.org", add > "*.bzattachments.org" to the PSL, and then offer delegations (e.g. > redhat.bzattachments.org, linuxkernel.bzattachments.org) to any bona > fide Bugzilla which wants one. They just tell me their nameservers, and > I add them to the domain's config. They can then host their attachments > at bug12345.company.bzattachments.org, > bug54321.company.bzattachments.org etc., and get full isolation. This > would be a service provided by the Bugzilla project for the good of the web. > > Before I execute and publicise this plan, does anyone see any problems > with it? Do you have any thoughts on how this would work for non-production instances of Bugzilla? At Red Hat, we have a permanent public-facing test server, several permanent internal test servers and a bunch of developer instances that tend to come and go over time. Cheers, -- Jason McDonald Senior Software Engineer, Red Hat Asia Pacific, Brisbane, Australia _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From gerv at mozilla.org Fri Oct 2 08:18:30 2015 From: gerv at mozilla.org (Gervase Markham) Date: Fri, 2 Oct 2015 09:18:30 +0100 Subject: Offering full attachment isolation to Bugzilla installations In-Reply-To: References: Message-ID: On 02/10/15 02:32, Jason Mcdonald wrote: > Do you have any thoughts on how this would work for non-production > instances of Bugzilla? Well, in general people should not be running non-production instances of Bugzilla on databases which contain confidential information. So the need for full attachment isolation is much reduced. However, I see the need for test instances to be configured the same as production instances. Therefore... > At Red Hat, we have a permanent public-facing test server, several > permanent internal test servers and a bunch of developer instances that > tend to come and go over time. ...in your case, I would suggest that you acquire redhat.bzattachments.org for your production server, redhat-test.bzattachments.org for your permanent public-facing test server, and configure the rest not to use a separate attachment domain. Hopefully, the number of things Bugzilla does differently based on this setting is not too great, so the risk of introducing a bug which is not detected is small. Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From fredrik at jonson.org Mon Oct 5 11:19:11 2015 From: fredrik at jonson.org (Fredrik Jonson) Date: Mon, 05 Oct 2015 06:19:11 -0500 Subject: Bugzilla can now run as a PSGI application for a huge performance boost References: Message-ID: LpSolit wrote: > In case you need some performance boost for your Bugzilla installation, > you will be happy to know that I wrote a patch to make it work as a PSGI > application. [...] https://bugzilla.mozilla.org/show_bug.cgi?id=1201113 Improved performance is always fun, so thanks for doing this. I see that the patches are not planned for 5.0, is the intent to have it in 5.1? How does bugzilla under PSGI compare to mod_perl? I'm currently running a installation under mod_perl. Will the general recommendation to migrate to PSGI when it is accepted in mainline? -- Fredrik Jonson _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From lpsolit at gmail.com Mon Oct 5 21:14:50 2015 From: lpsolit at gmail.com (=?UTF-8?B?RnLDqWTDqXJpYyBCdWNsaW4=?=) Date: Mon, 5 Oct 2015 23:14:50 +0200 Subject: Bugzilla can now run as a PSGI application for a huge performance boost In-Reply-To: References: Message-ID: <5612E84A.1030500@gmail.com> Le 05. 10. 15 13:19, Fredrik Jonson a ?crit : > I see that the patches are not planned for 5.0, is the intent to have it in 5.1? Yes, though that bug has a patch for 5.0 for those who want it. Note that 5.1 is the version of the development branch. The stable version will be 6.0. > How does bugzilla under PSGI compare to mod_perl? No idea. mod_perl 2.0.8 and older do not work with Apache 2.4, but my Linux distro has mod_perl 2.0.7 and Apache 2.4.10. They are incompatible and so I cannot enable it. And mod_perl 2.0.9 doesn't work with Perl 5.22. So I personally don't plan to enable mod_perl one day, but rather move to nginx + gazelle. Someone who has Apache 2.2 with mod_perl enabled could do the comparison. LpSolit From kshep0010 at gmail.com Thu Oct 15 20:31:00 2015 From: kshep0010 at gmail.com (Kenneth Sheppard) Date: Thu, 15 Oct 2015 13:31:00 -0700 Subject: Self-Introduction: Ken Sheppard Message-ID: Kenneth Sheppard San Francisco, CA, USA IT Security Engineer I would be interested in helping out with web server side or UI bugs. In the past I have built mostly system automation programs with Perl and scripts to glue various pieces of software together. I have built a few small web apps with dancer and mojo in the past as well, but only on Windows. I have experience with Windows, Red Hat, Perl, SIEM solutions, Network Security Apps, and Oracle Databases. Thank you, Ken Sheppard -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerv at mozilla.org Fri Oct 16 16:51:43 2015 From: gerv at mozilla.org (Gervase Markham) Date: Fri, 16 Oct 2015 17:51:43 +0100 Subject: Self-Introduction: Ken Sheppard In-Reply-To: References: Message-ID: On 15/10/15 21:31, Kenneth Sheppard wrote: > I would be interested in helping out with web server side or UI bugs. > > In the past I have built mostly system automation programs with Perl and > scripts to glue various pieces of software together. I have built a few > small web apps with dancer and mojo in the past as well, but only on > Windows. > > I have experience with Windows, Red Hat, Perl, SIEM solutions, Network > Security Apps, and Oracle Databases. Hi Ken, Welcome! I'm sure we can find useful stuff for you to do :-) Windows and Oracle experience is particularly handy - do you have Bugzilla running on Windows and/or Oracle? Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From gerv at mozilla.org Mon Oct 19 13:49:53 2015 From: gerv at mozilla.org (Gervase Markham) Date: Mon, 19 Oct 2015 14:49:53 +0100 Subject: Bugzilla Meeting times In-Reply-To: References: Message-ID: On 30/09/15 10:20, Gervase Markham wrote: > It's possible the current time-of-day of the Bugzilla meetings do not > work well for everyone who might like to attend. If you have an interest > in attending, each time or even sometimes, please can you reply to this > message giving your location and timezone, and I can see if there's a > happy medium which works for everyone? :-) Thanks to all who responded. I record one response from Brisbane (UTC+10), one from US Mountain Time (UTC-6), and one from Ottawa (UTC-4). This suggests that a possible time might be 21:00 GMT, which would be 07:00 in Brisbane (on the following day), 15:00 in Mountain Time, 17:00 in Ottawa, and 22:00 in the UK. It is during the day for the whole of the US, and it's not a totally ridiculous time, with warning, for the UK or CEST. I don't mind staying up late if Jason is willing to get up early :-) However, unusually, I am unavailable during the entire evening on the day the next meeting is scheduled, which is Wednesday week, 28th October. :-( So I propose we try this new time for the meeting after that, the one on Nov 25th. Does that sound reasonable? Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From theycallmefish at gmail.com Mon Oct 19 14:40:17 2015 From: theycallmefish at gmail.com (Ryan Wilson) Date: Mon, 19 Oct 2015 08:40:17 -0600 Subject: Bugzilla Meeting times In-Reply-To: References: Message-ID: Sounds reasonable to me. On Mon, Oct 19, 2015 at 7:49 AM, Gervase Markham wrote: > On 30/09/15 10:20, Gervase Markham wrote: > > It's possible the current time-of-day of the Bugzilla meetings do not > > work well for everyone who might like to attend. If you have an interest > > in attending, each time or even sometimes, please can you reply to this > > message giving your location and timezone, and I can see if there's a > > happy medium which works for everyone? :-) > > Thanks to all who responded. I record one response from Brisbane > (UTC+10), one from US Mountain Time (UTC-6), and one from Ottawa (UTC-4). > > This suggests that a possible time might be 21:00 GMT, which would be > 07:00 in Brisbane (on the following day), 15:00 in Mountain Time, 17:00 > in Ottawa, and 22:00 in the UK. It is during the day for the whole of > the US, and it's not a totally ridiculous time, with warning, for the UK > or CEST. I don't mind staying up late if Jason is willing to get up > early :-) > > However, unusually, I am unavailable during the entire evening on the > day the next meeting is scheduled, which is Wednesday week, 28th > October. :-( So I propose we try this new time for the meeting after > that, the one on Nov 25th. > > Does that sound reasonable? > > Gerv > > _______________________________________________ > dev-apps-bugzilla mailing list > dev-apps-bugzilla at lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-apps-bugzilla > - > To view or change your list settings, click here: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From justdave at bugzilla.org Mon Oct 19 15:16:08 2015 From: justdave at bugzilla.org (Dave Miller) Date: Mon, 19 Oct 2015 11:16:08 -0400 Subject: Bugzilla Meeting times In-Reply-To: References: Message-ID: Likewise. On October 19, 2015 10:40:17 AM EDT, Ryan Wilson wrote: >Sounds reasonable to me. > >On Mon, Oct 19, 2015 at 7:49 AM, Gervase Markham >wrote: > >> On 30/09/15 10:20, Gervase Markham wrote: >> > It's possible the current time-of-day of the Bugzilla meetings do >not >> > work well for everyone who might like to attend. If you have an >interest >> > in attending, each time or even sometimes, please can you reply to >this >> > message giving your location and timezone, and I can see if there's >a >> > happy medium which works for everyone? :-) >> >> Thanks to all who responded. I record one response from Brisbane >> (UTC+10), one from US Mountain Time (UTC-6), and one from Ottawa >(UTC-4). >> >> This suggests that a possible time might be 21:00 GMT, which would be >> 07:00 in Brisbane (on the following day), 15:00 in Mountain Time, >17:00 >> in Ottawa, and 22:00 in the UK. It is during the day for the whole of >> the US, and it's not a totally ridiculous time, with warning, for the >UK >> or CEST. I don't mind staying up late if Jason is willing to get up >> early :-) >> >> However, unusually, I am unavailable during the entire evening on the >> day the next meeting is scheduled, which is Wednesday week, 28th >> October. :-( So I propose we try this new time for the meeting after >> that, the one on Nov 25th. >> >> Does that sound reasonable? >> >> Gerv >> >> _______________________________________________ >> dev-apps-bugzilla mailing list >> dev-apps-bugzilla at lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-apps-bugzilla >> - >> To view or change your list settings, click here: >> >> -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kshep0010 at gmail.com Mon Oct 19 20:57:53 2015 From: kshep0010 at gmail.com (Ken Sheppard) Date: Mon, 19 Oct 2015 13:57:53 -0700 Subject: Self-Introduction: Ken Sheppard In-Reply-To: References: Message-ID: Thanks for the warm welcome, I'm actually currently running it on Windows and MySQL at home. Thank you, Ken Sheppard 980-318-9303 On Fri, Oct 16, 2015 at 9:51 AM, Gervase Markham wrote: > On 15/10/15 21:31, Kenneth Sheppard wrote: > > I would be interested in helping out with web server side or UI bugs. > > > > In the past I have built mostly system automation programs with Perl and > > scripts to glue various pieces of software together. I have built a few > > small web apps with dancer and mojo in the past as well, but only on > > Windows. > > > > I have experience with Windows, Red Hat, Perl, SIEM solutions, Network > > Security Apps, and Oracle Databases. > > Hi Ken, > > Welcome! I'm sure we can find useful stuff for you to do :-) Windows and > Oracle experience is particularly handy - do you have Bugzilla running > on Windows and/or Oracle? > > Gerv > _______________________________________________ > dev-apps-bugzilla mailing list > dev-apps-bugzilla at lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-apps-bugzilla > - > To view or change your list settings, click here: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerv at mozilla.org Wed Oct 21 12:59:50 2015 From: gerv at mozilla.org (Gervase Markham) Date: Wed, 21 Oct 2015 13:59:50 +0100 Subject: Self-Introduction: Ken Sheppard In-Reply-To: References: Message-ID: On 19/10/15 21:57, Ken Sheppard wrote: > Thanks for the warm welcome, I'm actually currently running it on Windows > and MySQL at home. Great. An awesome thing you could do is check over the Windows installation instructions: http://bugzilla.readthedocs.org/en/latest/installing/windows.html which have recently been updated, and make sure they accord with your experience. :-) Gerv _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla From jmcdonal at redhat.com Mon Oct 26 03:05:27 2015 From: jmcdonal at redhat.com (Jason Mcdonald) Date: Mon, 26 Oct 2015 13:05:27 +1000 Subject: Bugzilla Meeting times In-Reply-To: References: Message-ID: <562D9877.4080904@redhat.com> On 19/10/15 23:49, Gervase Markham wrote: > On 30/09/15 10:20, Gervase Markham wrote: >> It's possible the current time-of-day of the Bugzilla meetings do not >> work well for everyone who might like to attend. If you have an interest >> in attending, each time or even sometimes, please can you reply to this >> message giving your location and timezone, and I can see if there's a >> happy medium which works for everyone? :-) > > Thanks to all who responded. I record one response from Brisbane > (UTC+10), one from US Mountain Time (UTC-6), and one from Ottawa (UTC-4). > > This suggests that a possible time might be 21:00 GMT, which would be > 07:00 in Brisbane (on the following day), 15:00 in Mountain Time, 17:00 > in Ottawa, and 22:00 in the UK. It is during the day for the whole of > the US, and it's not a totally ridiculous time, with warning, for the UK > or CEST. I don't mind staying up late if Jason is willing to get up > early :-) > > However, unusually, I am unavailable during the entire evening on the > day the next meeting is scheduled, which is Wednesday week, 28th > October. :-( So I propose we try this new time for the meeting after > that, the one on Nov 25th. > > Does that sound reasonable? Sounds good to me. Cheers, -- Jason McDonald Senior Software Engineer, Red Hat Asia Pacific, Brisbane, Australia _______________________________________________ dev-apps-bugzilla mailing list dev-apps-bugzilla at lists.mozilla.org https://lists.mozilla.org/listinfo/dev-apps-bugzilla