Bugzilla Project Updates

As you know, we’re working on two fronts in Bugzilla Development:

A quality-of-life release (5.2) which includes support for utf8mb4,

MySQL 8 compatibility, and compatibility with the latest versions of perl.

A feature-packed release (6.0) which includes the UX/UI from bugzilla.mozilla.org, based on mojolicious.

The 5.2 Update

At the behest of justdave I’ve focused my attention on the quality of life release (5.2). I had desired to be able to release that this week, but this has fallen short because of unforeseen complications.

Here’s a list of things that are ready in the 5.2 branch:

  • MySQL 8 regexp compatibility (it turns out our default emailregexp wasn’t compatible with MySQL 8)
  • SQLite works again (sqlite was broken and is untested in the 5.2 branch)
  • Fixing Safe.pm bug in latest perl (the latest perl has a bug with Safe and Bugzilla must work around it)
  • checksetup.pl completes and large parts of the code work on MySQL 8

The problems remaining are that it is there are many places where snippets of sql are generated and it is non-obvious where and when to quote them. There are cases where an ORDER BYmust be quoted, for instance.

Because the patch set to quote all occurrences of is already quite large, I began exploring a more comprehensive fix on February 3rd. This approach is promising, and may result in a bit of reusable code useful to other Perl applications that have forbidden column or table names that used to work.

At the time of writing, I have written a mysql expression parser that can handle nearly every SQL expression used in Bugzilla. It takes a SQL expression and then quotes all column and table references. While the parser is over 300 lines, it means the overall patch is localized to one new file and a minor change to Bugzilla::DB. I hope to finish the parser this week, and have the patch in review over the weekend (Feb 8/Feb 9).

The 6.0 Update

Since the last meeting, I came up with this (rough) release plan. I’m working on the second version of this, but the gist here is very accurate. We know the “6.0” release will work, because we know bugzilla.mozilla.org works every day. 🙂

  • Delete Mozilla-specific code and branding
    • The Mozilla logo
    • Make it so nobody@mozilla.org is not hard-coded anywhere
    • Remove the Bugzilla::Report::* classes as those are specific reporting features of BMO that
  • Ensure a migration (schema migration) is possible from 5.0 to 6.0.
    • This is mainly a matter of reversing the “multiple aliases” support that was added in 5.0 but is not going to be present in 6.0.
    • There are complications involving the db schema and how email works that are TBD
  • If possible, some dependencies that are difficult to package (or not maintained well) must be dropped.
    • Mostly this is Data::Password::passwdqc.
    • As we will not add new features, this means forgoing password complexity checks which is actually a good thing as passwdqc rejects perfectly fine randomly generated passwords and people hate it.
  • Validate that we can run against PostgreSQL

An apology for impetuous tweeting

I’d like to apologize to this tweet. The events were playing out, and it felt urgent that I act and so I did. I think now I would have said nothing, but still written the letter I ended up writing. That tweet and a few others1 felt impetuous and not how I would like to present myself.

I’m also aware that I hurt at least one close friend, and I am sorry for that. I will try harder to think before I tweet.

  1. There is one where I insulted someone in a mean way that I deleted, but my mistakes remain published.

Open Letter to European Perl Conference

To the organizers of the European Perl Conference in Riga.

I have been involved in the perl community for 22 years. I feel a moral obligation to ensure people that I have introduced to it can continue to feel welcomed and safe. This letter is not meant to shame anyone, but it is public to provide some level of proof that people in the community care about enforcing codes of conduct.


There’s actually two issues at hand. The first one is that a person violated the Standards of Conduct (Code of Conduct) at the last Perl Conference in Pittsburgh and is slated to be a keynote speaker for the Perl Conference in Riga.

UPDATE: The keynote speaker issue has been resolved. The rest of this letter remains accurate.

The second issue is that after some prominent people raised concern, there was a perhaps hastily-written blog post that ended with a transphobic joke. The blog post was subsequently edited to remove the joke, along with some tweets relating to the issue.

Adding to the first issue, some may question the acceptability of deadnaming if the victim does not care. It would appear that is still a violation of Standards of Conduct.

Some have already pointed out the bad optics around this, and I’m not here to talk about that. I do care about how this looks to the world at large. This is an open letter precisely because handling this issue in secret would be worse than talking about it.

We’re going to cover Safety and Gender, and at the end some ways which we can resolve this issue. I am not the best person to cover these topics, but I am doing so because that lifts the burden from members of the minority having to explain again and again why something hurt because people want facts.


People will report Code of Conduct violations. The important question is, how will you handle those incidents and enforce your CoC?

Sage Sharp, 2016-01-25

The underlying issue is one of Safety. Vulnerable individuals attending conference must have faith that the code of conduct will be upheld. No one should be above reproach, and if a person violates the code at an event, it should inform decisions towards that person at other events.

This does not necessarily mean that the person need to be barred from the event — I do not hold an opinion on that matter — but some obviously feel that having the person be a keynote speaker does send a signal that perhaps the conference does not take ensuring the safety of attendees seriously.

You do not have to agree with me on this issue, but you also cannot argue about what trade-offs people make with their personal safety.

For additional information about safety, there is no better source than this collection of FAQs about Codes of Conduct


Assuming you’re still with me, you agree that people need to feel safe. But you’re struggling because you don’t think the behavior was serious enough.

we’re not talking about serious stuff! He just used the wrong name and pronouns!

some random internet person

This belief is false. Misgendering trans people causes harm.

In the AP News article Misgendering is not a lightweight ‘mistake’ Karolyn Wilson explains that empathy can inform sympathies:

I can’t speak for transgender men and women, but empathy can inform my sympathies: if I feel insulted and demeaned when I am misgendered, how much worse is it for someone who has had to work so much harder than I have to make their outsides match their insides, for someone who is in so much more danger of being discounted as a person or persecuted for who they are?

Karolyn Wilson, Misgendering is not a lightweight ‘mistake’

If you’re reading this and you’re cisgender, presumably you can think back to a time when you were misgendered. If that is not the case, perhaps imagine what it would feel like.

These situations, imagined or otherwise to this tend to have reactions that fall somewhere in a spectrum, but with typical reactions being:

  • You could feel as Karolyn Wilson did — as less of a person, less solid, and less seen
  • Or perhaps you will feel as I did when I first thought about this experience: Indifferent.

If you feel indifferent, and are not yet capable of understanding why gender identity is important you must start believing the lived experience of trans people. You should watch this video by Vi Hart (5 minutes). A quote from this video resonated with me when I first saw it:

My condescending teenager attitude came from a false belief that other people are basically like me.

Vi Hart

I think watching that video and internalizing the line of reasoning Vi Hart uses can help those that are cisgender but not strongly attached to the concepts or expectations of gender.

Now at this point, if you’re still reading I hope you’re with me. Perhaps you’ve read to this point, but you take issue with the joke being characterized as transphobic.

The reason people had a negative reaction to the comment about the perl conference identifying with a different name is because the conference is not a person and drawing this absurd parallel is an attack. This is quite similar to saying ”I identify as an attack helicopter” which is also transphobic and an attack on the concept of gender identity.

There isn’t space to go into this, but this video about gender and this video transphobia are not very long and cover things much better than I can.

I guess I’m done with this topic. As after this some people may label me as a SJW, I’ll pre-emptively tell you to watch The Straight White Man’s Guide to Feminism and Social Justice.


Right now people are upset. Several prominent people have called for a boycott of the conference. I’m sure this is not intended. Organizing a conference is very hard, it’s difficult to get the right kinds of help. It’s very stressful and then this happens and people are making demands and I know it must feel like you’re being attacked.

When people say things like “I am appalled by something you have done” it doesn’t mean they are attacking you. It coveys some amount of surprise, and they’re telling you this because they think you are better than the action and can decide to do something different.

Let’s walk it back. There are concrete steps that can be taken to alleviate this problem, and in fact shine.

  1. The SoC violating keynote speaker cannot be a keynote speaker.
  2. An apology for the removed blog post. It was a natural mistake — people will easily forgive such as thing if the apology is genuine.
  3. A commitment to safety must be made. It is not apparent if this conference has a Code of Conduct. The Glasgow conference did, but I don’t see this mentioned initially but I did not look very closely.

happy bmo push day

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1498206] Replace LWP::UserAgent with Mojo::UserAgent in phabbugz extension
  • [1497487] Use HMAC to generate tokens and sensitive graph filenames
  • [1498436] Move site-wide message to global header
  • [1498362] Shutter the “Powered By Mozilla” form
  • [1009716] Add (Cmd|Ctrl)+Enter shortcut for submitting from text areas.
  • [1499262] Bugzilla::DB should gracefully handle disconnection events that happen during transactions
  • [1497077] Convert links to absolute path
  • [1499417] Change BMO docs links from bmo.readthedocs.org to .io
  • [1499269] Refactor common parts of the feed daemon and improve timeout logging
  • [1496004] Improve layout of attachment detail page, hide comment form when custom form is inserted
  • [1495741] Multiple fixes for issues related to memory usage + configuration options for managing memory usage
  • [1482644] Improve “Too many requests” page with an explanation
  • [1499477] Feature request: link from user profile to editusers.

discuss these changes on mozilla.tools.bmo.

happy bmo push day – mojolicious edition

As previously announced at FOSDEM 2018 and then re-announced at MojoConf, bugzilla.mozilla.org is now running on Mojolicious “A next generation web framework for the Perl programming language”

This release incorporates 28 changes and the Mojolicious migration is the least interesting to the end-user, but it is pretty important in terms of being able to deliver rich experiences moving forward.

As an aside, it’s very possible to just download and run bugzilla now,
and the Bugzilla Harmony initiative could use some help cranking out a first release. Interested parties can reach out to me or find us in #bugzilla on irc.mozilla.org

Continue reading “happy bmo push day – mojolicious edition”