happy bmo push day!

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1467297] variable masks earlier declaration in Feed.pm in Phabbugz extension
  • [1467271] When making a revision public, make the revision editable only by the bmo-editbugs-team project (editbugs)
  • [1456877] Add a wrapper around libcmark_gfm to Bugzilla
  • [1468818] Re-introduce is_markdown to the longdescs table (schema-only)
  • [1469689] Remove Bugzilla Helper and custom bug entry form links from Browse page
  • [1419971] Add new Developer Tools and WebExtensions products to easy product selector on Browse and Enter Bug pages
  • [1469827] The etiquette check on “Create new a Bugzilla account” lacks a proper label
  • [1469920] Update schema: add a nickname to profiles table and a fulltext index on the profiles realname field
  • [1469333] Check attachment file size client-side and inform user of too large file before uploading it
  • [1461379] API DB Availability Exceptions on recurring BMO scripts
  • [1393146] Automate blocking IPs that bugzilla flags as exceeding rate limits
  • [1470275] Copy Summary button should give some feedback
  • [1470343] GitHub PR diff is not decoded in UTF-8
  • [1470485] Create new policies using PhabricatorProjectsAllPolicyRule instead of PhabricatorProjectsPolicyRule
  • [1469881] Patches posted by Phabricator to Bugzilla don’t list the patch author
  • [1457900] When restricting a revision to a bugzilla group we should tag the revision with the project
  • [1471044] Allow some model classes to have dynamic column names with class method DYNAMIC_COLUMNS
  • [1470966] “Status” column in Phabricator dashboard isn’t very useful
  • [1452096] Some custom dropdown UI widgets stay fixed and don’t move with scroll
  • [1471304] Block sending mail to hosts that end with .tld or .bugs
  • [1457550] Update scripts/remove-non-public-data.pl suitability for current BMO infrastructure.
  • [1469023] Show “new changes since (datetime)” indicator that links to unread changes/comments

discuss these changes on mozilla.tools.bmo.

Changes to Secure Bugmail on bugzilla.mozilla.org

There’s a big change coming on May 16th, 2018:

We’ve replaced the encryption code for secure bugmail.
All OpenPGP-formatted bugmail will be encrypted using the openpgp.js library.
There are no changes to the S/MIME encryption, and if you’re already using S/MIME my recommendation is to continue using it.

There are upsides (such as a new feature and several bugfixes) and only a single downside to this change.

Upsides

  • Feature: Messages may be encrypted using the Elliptic curves P-256, P-384, P-521, SECP-256k1, Curve25519, and Ed25519 (You can generate ECC keys with the command gpg --expert --full-gen-key and choosing option 9)
  • Fix Bug 790487: Messages will be encrypted to subkeys when possible.
  • Fix Bug 1190749: Messages will be encrypted using AES256, instead of CAST 5
  • Fix Bug 1256321: Messages will not be encrypted with expired keys.

Future Upsides

In addition to these changes, future work may allow:

  • Generating and receiving wild card key IDs in public-key encrypted session key packets.
  • Experimental opt-in authenticated encryption (AES-EAX, OCB, or GCM) based on the IETF proposal

The Downside

There are a few users whose keys will not work for various reasons.
If you’re one of those users, you can expect an email today (May 11th) explaining your options.

Questions

In anticipation of questions that may be asked, here are some answers.

Why OpenPGP.js?

  • Using gpg is difficult because its API is based on executing processes and communicating over 4 (or perhaps more) file descriptors.
  • Using gpg is also stateful because it must maintain its own key database.
  • Our existing OpenPGP library, while considered the second-most-complete OpenPGP implementation, hasn’t been actively maintained in a while. ProtonMail is actively maintaining OpenPGP.js since 2016, and this inspires confidence.
  • OpenPGP.js has undergone two complete security audits from Cure53. The first audit is available for review.

Will my GPG key work?

Probably. If not, you’ll be hearing from me.

If you would like to check your own key, you can use this baroque single page app to see what keys OpenPGP.js supports.

happy bmo push day!

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1450325] Update email templates with instructions for unsubscribing from all emails
  • [1451599] Checkbox for agreement terms at create account page should be on the left side
  • [1438205] Preserve comments in progress across page reloads
  • [1452531] PhabBugz code should add allow visibility to reviewers when creating custom policies
  • [1440828] Phabricator review requests should show up on the BMO dashboard
  • [1452241] Improve feed error handling and logging
  • [1453124] extensions/PhabBugz/bin/update_project_members.pl should be combined with the normal feed daemon
  • [1455493] cleanup push connector logging
  • [1427395] Allow request_cache to be constant-folded in Bugzilla.pm
  • [1455772] Label bug bounty form credit fields
  • [1373280] Highlight private comments in new bug modal UI
  • [1430367] Ssl preconnect google analytics
  • [1456529] Support SameSite attribute on session cookies
  • [1441732] Improve missing module error in Bugzilla::Extensions and catch more compile errors in tests
  • [1457031] When a revision does not have an bug id, the bug is made public but we also need to remove secure-revision tag

discuss these changes on mozilla.tools.bmo.

Bugzilla ❤️ Mojolicious

In this pull request it is possible to:

  • Call Bugzilla’s authentication function from Mojolicious controllers
  • Render Bugzilla’s templates (which are template toolkit) from Mojo’s render
    (no small thing as we do some odd things to TT2)
  • Parts of bugzilla that need to examine the HTTP request can (mostly) do so now

This patch does a lot of plumbing, but the result of this work is that
you could replace index.cgi with something like the following:

get '/' => sub {
    my $c = shift;
    my $user = Bugzilla->login(LOGIN_OPTIONAL);
    $c->stash->{use_login_page} = 1;
    $c->render( template => 'index.html.tmpl', handler => 'bugzilla', user => $user );
};

A screenshot showing the bugzilla.mozilla.org homepage as rendered by mojolicious

happy bmo push day!

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1437383] Create User.pm PhabBugz class for loading of a user object from phabricator
  • [1441329] Fix typos in the PhahBugz User.pm module
  • [1438206] Process SES email bounces properly
  • [1441475] BMO is vulnerable to reverse tabbnabbing
  • [1437384] phabbugz_feed.pl in PhabBugz extension should be extended to also query for new users in Phab
  • [1403344] Extract schema migration code from checksetup.pl and expose via docker container command
  • [1429621] Add Saved Searches to My Dashboard
  • [1433299] Link in summary is broken
  • [1384313] Can’t build the docs from within the vagrant box
  • [1441569] remove_idle_group_members.pl fails on vagrant box
  • [1440239] Assign a secure revision to the `secure-revision` group project
  • [1437646] Support Mozlog logs using Log::Log4perl
  • [1442099] Add memcached tracing to help debug weirdness in cloud env
  • [1442288] Bugzilla::Logging should log when a program is being run interactively
  • [1442520] move inbound_proxies to localconfig
  • [1402494] BMO Integration User is a full administrative user on Phabricator
  • [1443003] Port bug 1175211 to Harmony branch (Undefined subroutine &Bugzilla::CGI::SERVER_PUSH)
  • [1273381] Improve bugzilla object performance by using Class::XSAccessor for object accessors
  • [1419973] Modify product selector layout on Browse and Enter Bug pages
  • [1429344] Review requests in requests dropdown should link to MozReview or GitHub instead of Bugzilla details page
  • [1433573] Display the short URL link even for queries without any results
  • [1443049] is_interactive() must be declared before log4perl config is loaded
  • [1343248] Migrate secbugstats scripts to bmo production
  • [1441181] Implement new process model for running multiple email jobqueue daemons

discuss these changes on mozilla.tools.bmo.