happy bmo push day!

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1479350] “Phabricator Reviews Requested of You” lists bugs which I have reviewed
  • [1374266] Improve the “Zarro Boogs found” message
  • [1480169] Consider reducing the verbosity of phabricator ‘Revision Approved’ bugzilla comments
  • [1478897] ensure phabbugs doesn’t fail outright when encountering invalid bug ids
  • [1480599] Add “File new bug” menu to product/component hovercard
  • [1481207] POST /rest/bug_user_last_visit returns random number instead of bug ID
  • [1446855] enter_bug.cgi: Searching for duplicate bugs should trigger on changes to the Summary, not on all keystrokes
  • [1480473] Component description page: highlighted component lacks padding
  • [1474809] add “new to bugzilla” tag to non-comment changes
  • [1480897] When making a revision public, make the revision editable only by the bmo-editbugs-team project (editbugs)

discuss these changes on mozilla.tools.bmo.

happy bmo push day!

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1476288] Replace moz_nick with (new, revised) nick and also attempt to disallow duplicate nicks
  • [1472954] Implement one-click component watching on bug modal and component description pages
  • [1136271] Make user profile page visible to anyone for easier sharing
  • [1475593] Bugzilla Emails received when patches are attached in Phabricator
  • [1476841] Various code cleanups ahead of the Mojolicious patch
  • [1477894] get_attachment_revisions() should be returning an empty list, instead of a list of [0]
  • [1478012] Phab allows projects to have empty descriptions so Project.pm in PhabBugz should allow the same
  • [1419636] Make Google Analytics use beacon/XHR instead of img tag
  • [1478540] Update User.pm to load more than 100 users by using the paging functionality of Conduit API
  • [1478983] WebService endpoint to check if a user can enter a bug into a given product
  • [1479523] Disable one-click component watching for logged out users
  • [1320977] Add review/feedback/needinfo request counts and block statuses to /rest/user and /rest/user/suggest responses
  • [1475687] Remove https://bugzilla.mozilla.org/form.reps.it custom form
  • [1466737] “use my platform” should default to x86_64 on Mac OS X
  • [1479563] Wrap labels in Requests dropdown list
  • [1432095] OpenGraph image not loaded
  • [1478013] Importance, Status and Platform section labels in show bug view are linked but not clickable

discuss these changes on mozilla.tools.bmo.

happy bmo push day (old post)

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1471417] Remove XUL from attachment Content Type options; add SVG to standard options; mark PDF viewable
  • [1344080] Module headers should be minified when the module is open
  • [1469378] Update feed daemon to only manage subscribers on a revision if the bug is private, otherwise leave it alone
  • [1469373] Phabbugz fails with undefined error when phab user without linked BMO account accepts BMO linked revision
  • [1472048] Remove Metrics Code
  • [1471966] Blue “new changes since” bar disappears too quickly
  • [1472196] Disable use of editbugs as edit policy since group member syncing is currently broken on prod bmo

discuss these changes on mozilla.tools.bmo.

happy bmo push day!

release tag

the following changes have been pushed to bugzilla.mozilla.org:

  • [1459336] feed daemon skips setting r+ for accepted revision if the same user already has a flag set even if flag is status of ?
  • [1460466] Phab bot does not create r+ for acceptance when there are still blocking reviewers
  • [1440086] Refactor PhabBugz extension code to use new User.pm module for better type checking
  • [1458664] Feed daemon when adding or updating a new project in Phabricator, it should fix permissions and also make sure phab-bot is project member
  • [1462686] Current phabbugz in bmo master still refers to get_phab_bmo_ids() which is no longer part of the code
  • [1461819] Plack::Handler::Apache2 accidentally unsets $ENV{MOD_PERL}
  • [1461400] Log errors in webservices when undef values are passed to $self->type()

discuss these changes on mozilla.tools.bmo.

Changes to Secure Bugmail on bugzilla.mozilla.org

There’s a big change coming on May 16th, 2018:

We’ve replaced the encryption code for secure bugmail.
All OpenPGP-formatted bugmail will be encrypted using the openpgp.js library.
There are no changes to the S/MIME encryption, and if you’re already using S/MIME my recommendation is to continue using it.

There are upsides (such as a new feature and several bugfixes) and only a single downside to this change.

Upsides

  • Feature: Messages may be encrypted using the Elliptic curves P-256, P-384, P-521, SECP-256k1, Curve25519, and Ed25519 (You can generate ECC keys with the command gpg --expert --full-gen-key and choosing option 9)
  • Fix Bug 790487: Messages will be encrypted to subkeys when possible.
  • Fix Bug 1190749: Messages will be encrypted using AES256, instead of CAST 5
  • Fix Bug 1256321: Messages will not be encrypted with expired keys.

Future Upsides

In addition to these changes, future work may allow:

  • Generating and receiving wild card key IDs in public-key encrypted session key packets.
  • Experimental opt-in authenticated encryption (AES-EAX, OCB, or GCM) based on the IETF proposal

The Downside

There are a few users whose keys will not work for various reasons.
If you’re one of those users, you can expect an email today (May 11th) explaining your options.

Questions

In anticipation of questions that may be asked, here are some answers.

Why OpenPGP.js?

  • Using gpg is difficult because its API is based on executing processes and communicating over 4 (or perhaps more) file descriptors.
  • Using gpg is also stateful because it must maintain its own key database.
  • Our existing OpenPGP library, while considered the second-most-complete OpenPGP implementation, hasn’t been actively maintained in a while. ProtonMail is actively maintaining OpenPGP.js since 2016, and this inspires confidence.
  • OpenPGP.js has undergone two complete security audits from Cure53. The first audit is available for review.

Will my GPG key work?

Probably. If not, you’ll be hearing from me.

If you would like to check your own key, you can use this baroque single page app to see what keys OpenPGP.js supports.