[gentoo-dev] Bugzilla 4 migration

[gentoo-dev] Bugzilla 4 migration

[Christian Ruppert]

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

Dear community,

our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours.
We're going to migrate our old Bugzilla to Bugzilla-4.
We expect our update to finish within the next hours.

Some notes:
SSL is enabled by default now, so it's forced. Unfortunately the
option to force SSL *only* for logged in user is no longer available in
Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by
forcing SSL at all or not.
If *anybody* can't use SSL for any reason please yell so that we can
decide if we leave it as it is (plain + encrypted) or not.

All custom/Gentoo patches will be available *later* in a git repo[1].
So if you'd like to fix something or improve the theme you can
contribute patches.
Thanks to Alex Legler (a3li) for the Bugzilla theme.

[1]
http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-bugzilla.git;a=summary

-- 
Regards,
Christian Ruppert
Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure
member
Fingerprint: EEB1 C341 7C84 B274 6C59  F243 5EAB 0C62 B427 ABC8


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 554 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Christian Ruppert]

[-- Attachment #1: Type: text/plain, Size: 2186 bytes --]

On 03/07/2011 01:00 AM, Jan Kundrát wrote:
> On 03/06/11 23:55, Christian Ruppert wrote:
>> our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours.
>> We're going to migrate our old Bugzilla to Bugzilla-4.
>> We expect our update to finish within the next hours.
> 
> (Private reply, as I don't feel like flaming you in public. Feel free to
> re-send to a public list, or quote, preferably as a whole.)
> 
> Hi Christian,
> I wanted to ask if I missed the announcement of the migration. I tried
> to imagine a case which would force people to go ahead and perform such
> an action without informing the world about the downtime in advance, but
> failed to find one. So, did I miss the announcement, or was that a lapse
> on some guy's side, or is it something else which warranted a swift
> action? Anyway, I'm looking forward to a nice, upgraded bugzie.
> 
> Hm, so before sending this mail, I checked my gentoo-dev archive, and
> the first e-mail about Bugzilla migration is roughly 12 hours old.
> That's very different from how Infra has handled any other migration in
> the past (apart from dealing with unexpected emergencies, of course). I
> realize I'm in the armchair position in this case, but this looks like a
> rather dangerous move. When you add the workflow change, I wouldn't
> stick with an announcement 12 hours in advance myself (I do sysadmin
> stuff as a day job).
> 
> With kind regards,
> Jan
> 

Hey Jan,

I know I didn't announce it properly. It was *my* "fault" but this is
also a special case IMO.
We decided to migrate just a few hours ago because robbat2 and me having
enough time to do it now, finally. We're waiting since about 2007 for
Bugzilla upgrades and it's now 2011 so I thought it's ok to do it now
instead of waiting another few months (probably) or longer until we both
have enough time again etc.

We're not going to change the workflow, at least not now. We only do
that if you guys decided about it.

-- 
Regards,
Christian Ruppert
Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure
member
Fingerprint: EEB1 C341 7C84 B274 6C59  F243 5EAB 0C62 B427 ABC8


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 554 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 569 bytes --]

On Sun, 06 Mar 2011 23:55:31 +0100
Christian Ruppert <idl0r@gentoo.org> wrote:


> SSL is enabled by default now, so it's forced. Unfortunately the
> option to force SSL *only* for logged in user is no longer available
> in Bugzilla-4.x. It has been added in early 3.x AFAIR and later
> replaced by forcing SSL at all or not.
> If *anybody* can't use SSL for any reason please yell so that we can
> decide if we leave it as it is (plain + encrypted) or not.

Is there any *real* reason to force SSL? It is *hell* slow.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Dirkjan Ochtman]

On Mon, Mar 7, 2011 at 10:12, Michał Górny <mgorny@gentoo.org> wrote:
> Is there any *real* reason to force SSL? It is *hell* slow.

Do you mean that SSL is slow or that bugs is slow? I also noticed that
Bugzilla is very slow right now, but it seems unlikely that it's due
to SSL.

Cheers,

Dirkjan

Re: [gentoo-dev] Bugzilla 4 migration

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 496 bytes --]

On Mon, 7 Mar 2011 10:24:33 +0100
Dirkjan Ochtman <djc@gentoo.org> wrote:

> On Mon, Mar 7, 2011 at 10:12, Michał Górny <mgorny@gentoo.org> wrote:
> > Is there any *real* reason to force SSL? It is *hell* slow.
> 
> Do you mean that SSL is slow or that bugs is slow? I also noticed that
> Bugzilla is very slow right now, but it seems unlikely that it's due
> to SSL.

Both but yep, unrelated. I am just a personal SSL-forced-everywhere
hater.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Mike Frysinger]

On Mon, Mar 7, 2011 at 4:12 AM, Michał Górny wrote:
> On Sun, 06 Mar 2011 23:55:31 +0100 Christian Ruppert wrote:
>> SSL is enabled by default now, so it's forced. Unfortunately the
>> option to force SSL *only* for logged in user is no longer available
>> in Bugzilla-4.x. It has been added in early 3.x AFAIR and later
>> replaced by forcing SSL at all or not.
>> If *anybody* can't use SSL for any reason please yell so that we can
>> decide if we leave it as it is (plain + encrypted) or not.
>
> Is there any *real* reason to force SSL? It is *hell* slow.

it should of course be force for logging in
-mike

Re: [gentoo-dev] Bugzilla 4 migration

[Tobias Klausmann]

Hi! 

On Mon, 07 Mar 2011, Mike Frysinger wrote:
> >> If *anybody* can't use SSL for any reason please yell so that we can
> >> decide if we leave it as it is (plain + encrypted) or not.
> >
> > Is there any *real* reason to force SSL? It is *hell* slow.
> 
> it should of course be force for logging in

If it is enforced for login, it should be enforced for logged
in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
restricting the login cookie to an IP is *not* "safe enough".

Regards,
Tobias

-- 
Sent from aboard the Culture ship
	GSV Zero Gravitas

Re: [gentoo-dev] Bugzilla 4 migration

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/07/2011 09:48 AM, Tobias Klausmann wrote:
> Hi! 
> 
> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>>>> If *anybody* can't use SSL for any reason please yell so that we can
>>>> decide if we leave it as it is (plain + encrypted) or not.
>>>
>>> Is there any *real* reason to force SSL? It is *hell* slow.
>>
>> it should of course be force for logging in
> 
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".
> 
> Regards,
> Tobias
> 

First off, a big thanks to infra and all involved in the migration. It
looks awesome!

As to the SSL bit, there is *no* reason not to be using SSL for anything
that requires a username / password. And I 100% agree with Tobias. If
it's necessary to use SSL to login, it's necessary to use it for the
duration of the session. I don't know how feasible it is to do, but if
normal viewing (no login) can be left SSL free, I see no issue there.
Otherwise however, SSL should be in use.

Regards,
- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNdPDCAAoJEEsurZwMLhUxFtUP/istnBrfWjaj8SoHmweB5Uh8
Fblpar2tWVqqSORPV0fkXnYogXK8EbSl4eQDo6Q5LZt4OUzP2T4rLOrrexaxL2s/
GzKYHeoEsUKAfkZa5W3bmL8ZaL0ueYFqM/ucx1r9iGEqEOIr33G3eaR3AlaovmjV
Qw/r0McPFJDxqZz+79Xl/sFTFJaDHebEKiYT9Y40m3+6Ha4EqWcZ5DLX41/kfE77
Du+hCdf5J3E29vED3qtY5FBrmzG4ILBPCXbYxW8IMbpizQAzj7XzH8ZxjA9OvPOJ
S0kxrjQR9oFodiPETYf/vOpsHlp/D3+HECRo4Qa1OJBdkb70ci+5XHoY3GvdAKUe
MN3jCf94CSxlCyJcngWoyiu9j93l2Z3ctjq3cHo1dH4ETo686jyKFm4xBBkm4UrF
Co6c/pkX+78m2Py4hcWml+X2reYMurTC0dRG42YCW3dXRMJha6OZKIKXTf19FakL
bEd0adIK99t+N3i63yKIsd9p5SrU0H2ysJtX2wNyUVMAYnAad7gn7SGCKCytmvAo
4R8to3O7DitfIXAAz78Zj5vwa9VIbPu8dCTV0zo2XHE5EOXfu87YMQYKQQU1KwXK
9Rx0ZLys+vQCJL1EhezXBRcG39ksVHI1/hytD3LMTeRRXeQLJUrE3LK64mxtEARH
f7uLbv3dNgsjbhIM7jfQ
=CxR9
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Bugzilla 4 migration

[Mike Frysinger]

On Mon, Mar 7, 2011 at 9:48 AM, Tobias Klausmann wrote:
> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>> >> If *anybody* can't use SSL for any reason please yell so that we can
>> >> decide if we leave it as it is (plain + encrypted) or not.
>> >
>> > Is there any *real* reason to force SSL? It is *hell* slow.
>>
>> it should of course be force for logging in
>
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".

you're talking about two different things.  imo it's more important to
protect the credentials than spoofing/replay attacks.  the former is a
no brainer while the latter is fine to leave to the discretion of the
end user.
-mike

Re: [gentoo-dev] Bugzilla 4 migration

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 944 bytes --]

On Mon, 7 Mar 2011 15:48:19 +0100
Tobias Klausmann <klausman@gentoo.org> wrote:

> On Mon, 07 Mar 2011, Mike Frysinger wrote:
> > >> If *anybody* can't use SSL for any reason please yell so that we
> > >> can decide if we leave it as it is (plain + encrypted) or not.
> > >
> > > Is there any *real* reason to force SSL? It is *hell* slow.
> > 
> > it should of course be force for logging in
> 
> If it is enforced for login, it should be enforced for logged
> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> restricting the login cookie to an IP is *not* "safe enough".

Why does everyone assume it needs to be enforced? If user is interested
in protecting his/her data, he/she can simply use https://. If he/she
is not, there is no real reason to enforce slower (and not always
supported) SSL.

It's like forcing everyone to have doors with semi-automatic locks.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Christian Ruppert]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]

On 03/07/2011 08:47 PM, Michał Górny wrote:
> On Mon, 7 Mar 2011 15:48:19 +0100
> Tobias Klausmann <klausman@gentoo.org> wrote:
> 
>> On Mon, 07 Mar 2011, Mike Frysinger wrote:
>>>>> If *anybody* can't use SSL for any reason please yell so that we
>>>>> can decide if we leave it as it is (plain + encrypted) or not.
>>>>
>>>> Is there any *real* reason to force SSL? It is *hell* slow.
>>>
>>> it should of course be force for logging in
>>
>> If it is enforced for login, it should be enforced for logged
>> in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
>> restricting the login cookie to an IP is *not* "safe enough".
> 
> Why does everyone assume it needs to be enforced? If user is interested
> in protecting his/her data, he/she can simply use https://. If he/she
> is not, there is no real reason to enforce slower (and not always
> supported) SSL.
> 
> It's like forcing everyone to have doors with semi-automatic locks.
> 

*I* think it's ok if we're going to protect *our* data. Some user may
even benefit from it.
I don't see any disadvantages for our users.

-- 
Regards,
Christian Ruppert
Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure
member
Fingerprint: EEB1 C341 7C84 B274 6C59  F243 5EAB 0C62 B427 ABC8


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 554 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Olivier Crête]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> On Mon, 7 Mar 2011 15:48:19 +0100
> Tobias Klausmann <klausman@gentoo.org> wrote:
> 
> > On Mon, 07 Mar 2011, Mike Frysinger wrote:
> > > >> If *anybody* can't use SSL for any reason please yell so that we
> > > >> can decide if we leave it as it is (plain + encrypted) or not.
> > > >
> > > > Is there any *real* reason to force SSL? It is *hell* slow.
> > > 
> > > it should of course be force for logging in
> > 
> > If it is enforced for login, it should be enforced for logged
> > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no,
> > restricting the login cookie to an IP is *not* "safe enough".
> 
> Why does everyone assume it needs to be enforced? If user is interested
> in protecting his/her data, he/she can simply use https://. If he/she
> is not, there is no real reason to enforce slower (and not always
> supported) SSL.

Maybe it's not to protect the user, but to protect the Gentoo
infrastructure.. And really, SSL has been supported by every browser for
the last 15 years. And it is not in any way slow or slower than non-SSL.


-- 
Olivier Crête
tester@gentoo.org
Gentoo Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Fabian Groffen]

On 07-03-2011 15:06:25 -0500, Olivier Crête wrote:
> Maybe it's not to protect the user, but to protect the Gentoo
> infrastructure.. And really, SSL has been supported by every browser for
> the last 15 years. And it is not in any way slow or slower than non-SSL.

but the certificate security click-through-couple-of-times before you
can access bugzilla is sort of annoying

As outsider, I don't like to accept another certificate thing, just to
view a bugtracker.


-- 
Fabian Groffen
Gentoo on a different level

Re: [gentoo-dev] Bugzilla 4 migration

[Rich Freeman]

On Mon, Mar 7, 2011 at 4:32 PM, Fabian Groffen <grobian@gentoo.org> wrote:
> As outsider, I don't like to accept another certificate thing, just to
> view a bugtracker.

When you think about it, this is a defect with your browser, and not
so much with SSL itself.

Your browser generally doesn't complain about unauthenticated
connections.  It accepts unauthenticated connections that aren't
encrypted without any issues, despite these being completely open to
numerous attacks.  However, your browser does complain when it makes
an unauthenticated connection that IS encrypted, even though this is
vulnerable to far fewer attacks.

Browsers shouldn't bug the user about self-signed certificates - they
should simply and clearly show that the user is connected to a host
that isn't authenticated by a trusted intermediate.

Oh, and browsers shouldn't come with root certs pre-installed by the
browser distributor either, but that is about as likely to get fixed
as the problem I just described.

In any case, I don't see poor browser design as a valid reason for
avoiding the use of SSL...

Rich

Re: [gentoo-dev] Bugzilla 4 migration

[Fabian Groffen]

On 07-03-2011 16:52:23 -0500, Rich Freeman wrote:
> In any case, I don't see poor browser design as a valid reason for
> avoiding the use of SSL...

Please use a MUA that properly honours Reply-To: headers.  I'm on the
list.


-- 
Fabian Groffen
Gentoo on a different level

Re: [gentoo-dev] Bugzilla 4 migration

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 385 bytes --]

On Monday, March 07, 2011 16:59:22 Fabian Groffen wrote:
> On 07-03-2011 16:52:23 -0500, Rich Freeman wrote:
> > In any case, I don't see poor browser design as a valid reason for
> > avoiding the use of SSL...
> 
> Please use a MUA that properly honours Reply-To: headers.  I'm on the
> list.

subscribed != receiving.  there's no way of knowing who is.  get over it.
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Mike Frysinger]

[-- Attachment #1: Type: Text/Plain, Size: 682 bytes --]

On Monday, March 07, 2011 16:32:55 Fabian Groffen wrote:
> On 07-03-2011 15:06:25 -0500, Olivier Crête wrote:
> > Maybe it's not to protect the user, but to protect the Gentoo
> > infrastructure.. And really, SSL has been supported by every browser for
> > the last 15 years. And it is not in any way slow or slower than non-SSL.
> 
> but the certificate security click-through-couple-of-times before you
> can access bugzilla is sort of annoying

i heard rumors the cacert is finally going into firefox ...

> As outsider, I don't like to accept another certificate thing, just to
> view a bugtracker.

if we're only forcing *login*, then this isnt an issue
-mike

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Fabian Groffen]

On 07-03-2011 17:25:02 -0500, Mike Frysinger wrote:
> > As outsider, I don't like to accept another certificate thing, just to
> > view a bugtracker.
> 
> if we're only forcing *login*, then this isnt an issue

+1


-- 
Fabian Groffen
Gentoo on a different level

Re: [gentoo-dev] Bugzilla 4 migration

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 819 bytes --]

On Mon, 07 Mar 2011 15:06:25 -0500
Olivier Crête <tester@gentoo.org> wrote:

> On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> > Why does everyone assume it needs to be enforced? If user is
> > interested in protecting his/her data, he/she can simply use
> > https://. If he/she is not, there is no real reason to enforce
> > slower (and not always supported) SSL.
> 
> Maybe it's not to protect the user, but to protect the Gentoo
> infrastructure.. And really, SSL has been supported by every browser
> for the last 15 years. And it is not in any way slow or slower than
> non-SSL.

If you really think you need to force all users to use SSL, thus
assuming they're unable to make their own decisions, why don't you
restrict bugzie access completely?

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Antoni Grzymała]

 On Tue, 8 Mar 2011 15:26:34 +0100, Michał Górny wrote:
> On Mon, 07 Mar 2011 15:06:25 -0500
> Olivier Crête <tester@gentoo.org> wrote:
>
>> On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
>> > Why does everyone assume it needs to be enforced? If user is
>> > interested in protecting his/her data, he/she can simply use
>> > https://. If he/she is not, there is no real reason to enforce
>> > slower (and not always supported) SSL.
>>
>> Maybe it's not to protect the user, but to protect the Gentoo
>> infrastructure.. And really, SSL has been supported by every browser
>> for the last 15 years. And it is not in any way slow or slower than
>> non-SSL.
>
> If you really think you need to force all users to use SSL, thus
> assuming they're unable to make their own decisions, why don't you
> restrict bugzie access completely?

 Michał,

 You don't seem to (or pretend not to) understand that using SSL 
 protects not *the user* (in which case, yes, a user is free to leave the 
 door to *his own* house wide open), but the Gentoo infrastructure that 
 is far from his own and that all of us are using. Besides, complaining 
 about SSL being slow is absurd considering how mildly interactive and 
 how low-traffic a typical bugzilla session is. You could do just fine 
 over a 9600 bps modem.

 Regards,

 Antoni

Re: [gentoo-dev] Bugzilla 4 migration

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1876 bytes --]

On Tue, 08 Mar 2011 16:41:08 +0200
Antoni Grzymała <awaria@chopin.edu.pl> wrote:

>  On Tue, 8 Mar 2011 15:26:34 +0100, Michał Górny wrote:
> > On Mon, 07 Mar 2011 15:06:25 -0500
> > Olivier Crête <tester@gentoo.org> wrote:
> >
> >> On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> >> > Why does everyone assume it needs to be enforced? If user is
> >> > interested in protecting his/her data, he/she can simply use
> >> > https://. If he/she is not, there is no real reason to enforce
> >> > slower (and not always supported) SSL.
> >>
> >> Maybe it's not to protect the user, but to protect the Gentoo
> >> infrastructure.. And really, SSL has been supported by every
> >> browser for the last 15 years. And it is not in any way slow or
> >> slower than non-SSL.
> >
> > If you really think you need to force all users to use SSL, thus
> > assuming they're unable to make their own decisions, why don't you
> > restrict bugzie access completely?
> 
>  You don't seem to (or pretend not to) understand that using SSL 
>  protects not *the user* (in which case, yes, a user is free to leave
> the door to *his own* house wide open), but the Gentoo infrastructure
> that is far from his own and that all of us are using.

Please explain to me how not using SSL for a particular bugzie user is
going to hurt Gentoo infra. Even if we're talking about a dev,
and we're really assuming a dev is completely unaware of security
issues he/she's dealing with, I'd say power outage could cause more
damage.

> Besides, complaining about SSL being slow is absurd considering how
> mildly interactive and how low-traffic a typical bugzilla session is.
> You could do just fine over a 9600 bps modem.

It is more absurd to waste 5 minutes trying to establish login session
due to packet loss.

-- 
Best regards,
Michał Górny

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Nathan Phillip Brink]

[-- Attachment #1: Type: text/plain, Size: 2728 bytes --]

On Tue, Mar 08, 2011 at 03:53:01PM +0100, Micha?? G??rny wrote:
> On Tue, 08 Mar 2011 16:41:08 +0200
> Antoni Grzyma??a <awaria@chopin.edu.pl> wrote:
> 
> >  On Tue, 8 Mar 2011 15:26:34 +0100, Micha????? G????rny wrote:
> > > On Mon, 07 Mar 2011 15:06:25 -0500
> > > Olivier Cr??te <tester@gentoo.org> wrote:
> > >
> > >> On Mon, 2011-03-07 at 20:47 +0100, Micha?? G??rny wrote:
> > >> > Why does everyone assume it needs to be enforced? If user is
> > >> > interested in protecting his/her data, he/she can simply use
> > >> > https://. If he/she is not, there is no real reason to enforce
> > >> > slower (and not always supported) SSL.
> > >>
> > >> Maybe it's not to protect the user, but to protect the Gentoo
> > >> infrastructure.. And really, SSL has been supported by every
> > >> browser for the last 15 years. And it is not in any way slow or
> > >> slower than non-SSL.
> > >
> > > If you really think you need to force all users to use SSL, thus
> > > assuming they're unable to make their own decisions, why don't you
> > > restrict bugzie access completely?
> > 
> >  You don't seem to (or pretend not to) understand that using SSL 
> >  protects not *the user* (in which case, yes, a user is free to leave
> > the door to *his own* house wide open), but the Gentoo infrastructure
> > that is far from his own and that all of us are using.
> 
> Please explain to me how not using SSL for a particular bugzie user is
> going to hurt Gentoo infra. Even if we're talking about a dev,
> and we're really assuming a dev is completely unaware of security
> issues he/she's dealing with, I'd say power outage could cause more
> damage.

If you access a bug which a user marked private/for devs only, or some
security bug, then the process of you viewing this information without
SSL would disclose this information to anyone listening on your
network. And disclosing your session cookie would allow anyone to find
any such private data they _want_ to find rather than just the content
you're viewing. Thus, by encrypting everything you are protecting
Gentoo users' data which is posted as private on bugzilla because they
trust that ``private'' actually means private.

> > Besides, complaining about SSL being slow is absurd considering how
> > mildly interactive and how low-traffic a typical bugzilla session is.
> > You could do just fine over a 9600 bps modem.
> 
> It is more absurd to waste 5 minutes trying to establish login session
> due to packet loss.

And if you have such a bad internet connection as you claim to have,
then perhaps there's a higher chance of people trolling your packets
anyways :-p.

-- 
binki

Look out for missing apostrophes!

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Robin H. Johnson]

On Mon, Mar 07, 2011 at 10:12:14AM +0100, Michał Górny wrote:
> On Sun, 06 Mar 2011 23:55:31 +0100
> Christian Ruppert <idl0r@gentoo.org> wrote:
> > SSL is enabled by default now, so it's forced. Unfortunately the
> > option to force SSL *only* for logged in user is no longer available
> > in Bugzilla-4.x. It has been added in early 3.x AFAIR and later
> > replaced by forcing SSL at all or not.
> > If *anybody* can't use SSL for any reason please yell so that we can
> > decide if we leave it as it is (plain + encrypted) or not.
> Is there any *real* reason to force SSL? It is *hell* slow.
The SSL forcing is temporarily disabled until we trace down why it's
causing slowness. Tracking is in bug 357711.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

Re: [gentoo-dev] Bugzilla 4 migration

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1541 bytes --]

On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote:
> our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours.
> We're going to migrate our old Bugzilla to Bugzilla-4.
> We expect our update to finish within the next hours.
All completed now. If you run into any problems, please file a new bug
under the Bugzilla product.

I'm sending this email as idl0r went to be after 8+ hours straight of
working on the new Bugzilla setup.

We apologize for this taking so extremely long.

Things didn't go so well at the database layer [1], and that hugely
increased the migration time. 

The Gentoo for the Bugzilla service went perfectly, a huge thanks to
idl0r for the years of work he has put into them.

> Some notes:
> SSL is enabled by default now, so it's forced.
The forcing is temporarily disabled now until we fix a possible related
performance issue, per bug 357711.

Footnotes:
[1] We discovered a potential MySQL bug with replication, where the
slaves end up truncating mediumtext columns to 1024 characters when done
with REPLACE INTO and GROUP_CONCAT. Will pursue with upstream this week.
This was only noted with mk-table-checksum, and we decided to just redo
replication from the master that was used for introducing the schema
changes. This added 3.5 hours onto the end of the migration :-(.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[justin]

[-- Attachment #1: Type: text/plain, Size: 212 bytes --]

On 07/03/11 10:51, Robin H. Johnson wrote:
> The Gentoo for the Bugzilla service went perfectly, a huge thanks to
> idl0r for the years of work he has put into them.
> 

Thanks for all your work on this.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Jorge Manuel B. S. Vicetto]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07-03-2011 08:51, Robin H. Johnson wrote:
> On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote:
>> our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours.
>> We're going to migrate our old Bugzilla to Bugzilla-4.
>> We expect our update to finish within the next hours.
> All completed now. If you run into any problems, please file a new bug
> under the Bugzilla product.

Thank you both for all the work in the upgrade and for all the
maintenance work you've been doing for years on our Bugzilla.

- -- 
Regards,

Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org
Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNdMHeAAoJEC8ZTXQF1qEPzMwP/Rgc/F0ffJ8N5nKcW6DmcAO6
Xk8mPs7aMZ+YKdUmt0Ti67QMkGXn7UYDGqcEysKJzPY8G9aPboGZ/rrZIKU8kUtN
ddD++GO/yrqIBmMZaohXd28SSCTi7Ea+fmZSreL9Kq3Z9JSMIRNvCXKxlDVb82ll
wV44OPdrmRkTJ561fARuWxUs0NY7KnSUuBQ2Xr2dqjYQ3FsxtBK9RwDag1wFf24W
rJwoIHa9a/jRyp4eYlAErWdcQKDrdtfJWTX2gNjjp67JDO/PJBBvb2qXzGebjgra
iKpTfVKqXRt5TGWvL+UkKKi220St0C83wBXhmOSRbpaLBEq6+dvLPJT0nGEeaO1s
2dY6I1CFdW+oK8fEg+V1+4djWJ7CwRfg9uH2q9lgxZXXBw6uq4vsLjWwMr+O20hE
zwXNhHhq77VsJGENM3o+NFeiGvw4+j+1metvzsQgNQTq2gcnEeSiXxxwXWD7P2d5
QfjTlJg5Y6u6f3YnNYYNckgizeFmm5SkgKElET0wBD2ILChPMshhyB+aPnMlkzTm
DJKcwr/9C1g9pEHjoUC8uOrIGTDny/uP/IOgBlbvBFwkH9u258spI/nkHliyF0y1
xVtXveYp4k/8GCuUyGscj5oeVqTdft65x47oDRYzWw93vb1Aacenkei2RciN9ueo
nxpA5Kc0okEJVptcq1uT
=vJNK
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Bugzilla 4 migration

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

On 09:51 Mon 07 Mar     , Robin H. Johnson wrote:
> The Gentoo for the Bugzilla service went perfectly, a huge thanks to
> idl0r for the years of work he has put into them.

Thanks! One thing I've been very interested about in 3.x and 4.x is API 
access that's better than screen-scraping. I tried using the 
python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't 
seem to work. Do we have anything available?

-- 
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Dirkjan Ochtman]

On Mon, Mar 7, 2011 at 15:13, Donnie Berkholz <dberkholz@gentoo.org> wrote:
> Thanks! One thing I've been very interested about in 3.x and 4.x is API
> access that's better than screen-scraping. I tried using the
> python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
> seem to work. Do we have anything available?

Is that the one you get if you emerge pybugz?

The Mozilla guys made a pretty nice REST API that can be installed as a
plugin, I think. Maybe we could run that?

Cheers,

Dirkjan

Re: [gentoo-dev] Bugzilla 4 migration

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 964 bytes --]

On 16:35 Mon 07 Mar     , Dirkjan Ochtman wrote:
> On Mon, Mar 7, 2011 at 15:13, Donnie Berkholz <dberkholz@gentoo.org> wrote:
> > Thanks! One thing I've been very interested about in 3.x and 4.x is API
> > access that's better than screen-scraping. I tried using the
> > python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't
> > seem to work. Do we have anything available?
> 
> Is that the one you get if you emerge pybugz?

No, pybugz is a screen-scraper. We previously had Bugzilla 2 so we 
couldn't do anything else.

> The Mozilla guys made a pretty nice REST API that can be installed as a
> plugin, I think. Maybe we could run that?

I've been somewhat following that too, but I don't know if anyone's 
written a CLI client for it yet, whereas python-bugzilla already exists 
(and has an ebuild in the sabayon overlay).

-- 
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Hans de Graaff]

[-- Attachment #1: Type: text/plain, Size: 433 bytes --]

On Mon, 2011-03-07 at 08:13 -0600, Donnie Berkholz wrote:

> Thanks! One thing I've been very interested about in 3.x and 4.x is API 
> access that's better than screen-scraping. I tried using the 
> python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't 
> seem to work. Do we have anything available?

I've tried an ipad application that uses xmlrpc and that seemed to work
fine.

Kind regards,

Hans

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 711 bytes --]

On 07:50 Tue 08 Mar     , Hans de Graaff wrote:
> On Mon, 2011-03-07 at 08:13 -0600, Donnie Berkholz wrote:
> 
> > Thanks! One thing I've been very interested about in 3.x and 4.x is API 
> > access that's better than screen-scraping. I tried using the 
> > python-bugzilla client that accesses Bugzilla via XML-RPC but it didn't 
> > seem to work. Do we have anything available?
> 
> I've tried an ipad application that uses xmlrpc and that seemed to work
> fine.

Confirmed with my iphone one. Guess the Python one's broken with BZ 4. 
Fiddling around manually with xmlrpclib works alright, too.

-- 
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Bugzilla 4 migration

[Markos Chandras]

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

On Sun, Mar 06, 2011 at 11:55:31PM +0100, Christian Ruppert wrote:
> Dear community,
> 
> our Bugzilla (bugs.gentoo.org) will be unavailable for the next hours.
> We're going to migrate our old Bugzilla to Bugzilla-4.
> We expect our update to finish within the next hours.
> 
> Some notes:
> SSL is enabled by default now, so it's forced. Unfortunately the
> option to force SSL *only* for logged in user is no longer available in
> Bugzilla-4.x. It has been added in early 3.x AFAIR and later replaced by
> forcing SSL at all or not.
> If *anybody* can't use SSL for any reason please yell so that we can
> decide if we leave it as it is (plain + encrypted) or not.
> 
> All custom/Gentoo patches will be available *later* in a git repo[1].
> So if you'd like to fix something or improve the theme you can
> contribute patches.
> Thanks to Alex Legler (a3li) for the Bugzilla theme.
> 
> [1]
> http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-bugzilla.git;a=summary
> 
> -- 
> Regards,
> Christian Ruppert
> Role: Gentoo Linux developer, Bugzilla administrator and Infrastructure
> member
> Fingerprint: EEB1 C341 7C84 B274 6C59  F243 5EAB 0C62 B427 ABC8
> 

Thank you very much. New bugzie looks pretty :)


Regards,
-- 
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]