Changes to Secure Bugmail on

There’s a big change coming on May 16th, 2018:

We’ve replaced the encryption code for secure bugmail.
All OpenPGP-formatted bugmail will be encrypted using the openpgp.js library.
There are no changes to the S/MIME encryption, and if you’re already using S/MIME my recommendation is to continue using it.

There are upsides (such as a new feature and several bugfixes) and only a single downside to this change.


  • Feature: Messages may be encrypted using the Elliptic curves P-256, P-384, P-521, SECP-256k1, Curve25519, and Ed25519 (You can generate ECC keys with the command gpg --expert --full-gen-key and choosing option 9)
  • Fix Bug 790487: Messages will be encrypted to subkeys when possible.
  • Fix Bug 1190749: Messages will be encrypted using AES256, instead of CAST 5
  • Fix Bug 1256321: Messages will not be encrypted with expired keys.

Future Upsides

In addition to these changes, future work may allow:

  • Generating and receiving wild card key IDs in public-key encrypted session key packets.
  • Experimental opt-in authenticated encryption (AES-EAX, OCB, or GCM) based on the IETF proposal

The Downside

There are a few users whose keys will not work for various reasons.
If you’re one of those users, you can expect an email today (May 11th) explaining your options.


In anticipation of questions that may be asked, here are some answers.

Why OpenPGP.js?

  • Using gpg is difficult because its API is based on executing processes and communicating over 4 (or perhaps more) file descriptors.
  • Using gpg is also stateful because it must maintain its own key database.
  • Our existing OpenPGP library, while considered the second-most-complete OpenPGP implementation, hasn’t been actively maintained in a while. ProtonMail is actively maintaining OpenPGP.js since 2016, and this inspires confidence.
  • OpenPGP.js has undergone two complete security audits from Cure53. The first audit is available for review.

Will my GPG key work?

Probably. If not, you’ll be hearing from me.

If you would like to check your own key, you can use this baroque single page app to see what keys OpenPGP.js supports.

happy bmo push day!

release tag

the following changes have been pushed to

  • [1450325] Update email templates with instructions for unsubscribing from all emails
  • [1451599] Checkbox for agreement terms at create account page should be on the left side
  • [1438205] Preserve comments in progress across page reloads
  • [1452531] PhabBugz code should add allow visibility to reviewers when creating custom policies
  • [1440828] Phabricator review requests should show up on the BMO dashboard
  • [1452241] Improve feed error handling and logging
  • [1453124] extensions/PhabBugz/bin/ should be combined with the normal feed daemon
  • [1455493] cleanup push connector logging
  • [1427395] Allow request_cache to be constant-folded in
  • [1455772] Label bug bounty form credit fields
  • [1373280] Highlight private comments in new bug modal UI
  • [1430367] Ssl preconnect google analytics
  • [1456529] Support SameSite attribute on session cookies
  • [1441732] Improve missing module error in Bugzilla::Extensions and catch more compile errors in tests
  • [1457031] When a revision does not have an bug id, the bug is made public but we also need to remove secure-revision tag

discuss these changes on

Happy BMO Push Day!

Dave's Ramblings

release tag

the following changes have been pushed to

  • [1450283] JobQueue should treat “no jobs” as a trace-level message, and all other logs as info
  • [1450920] Instant Search doesn’t work when not logged in
  • [1447028] Add auth delegation test script
  • [1446431] Allow Baseline scan to ignore forms that dont need CSRF Tokens
  • [1450791] SES handler needs to support both “event” and “notification” messages (to handle complaint messages in production)
  • [1449282] Create an endpoint that will report back the number of jobs currently in the jobqueue
  • [1450679] Replace custom Sentry integration with Logging
  • [1328900] Create new group called ‘disableusers’ that can only edit the bugmail and disabledtext fields of a user
  • [1450990] Refactor a bunch of the logging config files
  • [1451416] Bugzilla sometimes sends emails to accounts when it shouldn’t

View original post 88 more words

Bugzilla Harmony Beta

In addition to the Mojolicious ❤️, we’re also focused on more near-term gains.
Specifically getting the Bugzilla/Harmony branch running under PSGI, and being a thing you can download and use.

I am happy to announce today that the master branch is in a beta-quality state as of today,

At the moment, the following installation scenarios have been tested:

  • checkout the code
  • run cpanm --installdeps --notest --with-feature=bmo -l local .
  • run and edit localconfig to point your database (only mysql is currently working)
  • run app.psgi, optionally with starman

If you would like to help the project, a good place to start would be testing this on your systems and reporting back findings.

The next milestone will be integration of the Mojolicious work currently going on in PR #517 in the bmo repo

happy bmo push day!

release tag

the following changes have been pushed to

  • [1448681] Bugmail Message-ID header format changed without changing In-Reply-To/References, breaking threading
  • [1440829] Bugzilla comment for Phabricator commit should include entire commit message, not just first line
  • [1449413] Refactor circleci container building stuff
  • [1449156] Bugzilla::Memcached should use smaller timeouts and ping servers at instantiation time
  • [1449168] Remove warning –function from jobqueue worker
  • [1441063] Misleading bugzilla comment when asking for re-review
  • [1200695] API-key-creation emails should reflect if the action was a result of auth delegation
  • [1450008] documentation link in API errors is wrong
  • [1450010] The jobqueue supervisor’s pidfile should not be stored in the data directory
  • [1441897] Improve opengraph metadata for bug pages
  • [1447027] Document and tweak vagrant vm to support testing emails
  • [1441244] prevent compounding error messages in tests
  • [1450343] Make the SES handler use Bugzilla::Logging and log more details

discuss these changes on

Bugzilla ❤️ Mojolicious

In this pull request it is possible to:

  • Call Bugzilla’s authentication function from Mojolicious controllers
  • Render Bugzilla’s templates (which are template toolkit) from Mojo’s render
    (no small thing as we do some odd things to TT2)
  • Parts of bugzilla that need to examine the HTTP request can (mostly) do so now

This patch does a lot of plumbing, but the result of this work is that
you could replace index.cgi with something like the following:

get '/' => sub {
    my $c = shift;
    my $user = Bugzilla->login(LOGIN_OPTIONAL);
    $c->stash->{use_login_page} = 1;
    $c->render( template => 'index.html.tmpl', handler => 'bugzilla', user => $user );

A screenshot showing the homepage as rendered by mojolicious

happy bmo push day!

release tag

the following changes have been pushed to

  • [1443559] Remove “Urgency” (mapped to priority) field from the “form.doc” bug form for MDN content bugs
  • [1441903] Cleanup Makefile.PL
  • [1444088] review link for patches on the requests page no longer shows up
  • [1444627] Display saved searches on MyDashboard as an inline list
  • [1439993] Remove COMPILE_DIR => setting from Bugzilla::Template when effective group != webservergroup to prevent filesystem permission errors
  • [1437238] Create override parameters for mailer configuration.
  • [1427503] Allow all users to use Duo as the MFA provider.
  • [1443162] Attachment links should include urlbase
  • [1445041] if memcached server does not end with a port, append :11211
  • [1445098] flush stdout on cereal daemon
  • [1445066] Clicking “Last search results” sometimes results in an error
  • [1445042] log heartbeat errors
  • [1441181] Implement new process model for running multiple email jobqueue daemons
  • [1445700] apache_size_limit should be 800_000 when Linux::Smaps is not installed
  • [1446042] Please remove the IPC request form in Bugzilla
  • [1443058] Backport 1087400 to bmo – CGI 4.05 throws tons of “CGI::param called in list context” warnings
  • [1446156] mkdir template_cache: Permission denied
  • [1440328] Mentor email addresses not obfuscated when signed out
  • [1447221] memcache no longer returning results due to mismatched key handling in get vs. set
  • [1447291] Remove Apache2::Log from PhabBugs/Push in favor of logging framework
  • [1447289] heartbeat check should not check for enabled features
  • [1444008] Form action injection in Bugzilla /user_profile (leads to XSS/single-factor credential leakage)

discuss these changes on