4.0 Upgrade

Description

Schedule

Sometime after Firefox 4 ships.

Requirements

List of requirements the project must meet to before final release.

The following BMO customizations must be present and working properly. Some of these are specific to BMO and some are already in the upstream but not in the 4.0 release. These changes are part of the core Bugzilla code. The new BMO extension specific requirements will be listed after.

• Retiring of old components, versions, and milestones (upstream bug 77193)
• Passwords require 8 or more characters
• Strict-Transport-Security header validity increased from one week to one month
• Admin options added for specifying/requiring password complexity in various forms (upstream bug 558803)
• 'bug_check_groups' hook added to Bugzilla::Bug to make it always possible to file bugs in certain groups.
• New group 'bz_quip_moderators' added which can moderate quips. No longer just admin. (upstream bug 622080)
• Users having admin permissions (instead of editbugs) may bless all groups as well as edit all users.
• enter_bug.cgi automatically uses the 'guided' format for user's not in the 'canconfirm' group.
• enter_bug.cgi must show the pretty product chooser instead of the the standard product list.
• Various redirects and rewrite rules need to function properly in the .htaccess file.
• The bug query results uses the sorttable.js framework to allow client side column sorting. Changes were needed to the table.html.tmpl template for this to work.
• Display work email address instead of login name on the login forms.
• New hook called 'patch_notes' added to attachment/createformcontents.html.tmpl to display additional instructions for patch type attachments.
• New hook called 'comment_banner' added to bug/comments.html.tmpl.
• Some textual changes have been made to the create-guided.html.tmpl simple bug entry form.
• The status_whiteboard field can have a value added in the enter_bug.cgi page.
• 'Last Comment' shortcut link added to the top of the show_bug.cgi page.
• Instead of completely blocking unsafe URLs in the bug_file_loc field, BMO throws a warning alerting the user that the URL may not be safe.
• Various fields in show_bug.cgi have been moved to different locations.
• Additional template code has been added to bug/field.html.tmpl to filter out certain fields/values based on user permissions.
• Added (take) link to show_bug.cgi to allow quickly assigning the bug to the user. (upstream bug 626658)
• Various templates use cf_hidden_in_product() to filter out custom fields based on the bug's current product (bug/show-multile.html.tmpl, bug/show.xml.tmpl)
• Text added to email notifications to not reply to the email and to make any comments in the bug itself.
• New term variable called terms.BugzillaTitle to be used in header.html.tmpl instead of terms.Bugzilla.
• Image of chomping Mozilla on the server push page when waiting for bug results (server-push).
• "denied" flags changed to "not granted" in request/email.txt.tmpl (upstream bug 621883, denied)
• Alternative explanation of WORKSFORME resolution in pages/fields.html.tmpl
• different permissions on htdocs root (0755 instead of DIR_WS_SERVE)
• webserver allowed access to .bzr for bzr history function
• to_user exposed to email/change-old.txt.tmpl for securemail
• bz_canusewhines group used instead of admin in chart.cgi
• bug fix related to displaying products on full product chooser grouped by classification in enter_bug.cgi
• FollowSymLinks enabled in mod_perl.pl
• resolutions hook added to pages/fields.html.tmpl (bug 616453)
• EXPIRED resolution hidden from all users except gerv in list/edit-multiple.html.tmpl
• bug/edit.html.tmpl changes:
  • class on #bz_show_bug_column_2 changed from bz_show_bug_column to bz_show_bug_column_table
  • assigned_to editable field hidden by default
  • cc list displayed to logged in users
  • custom fields are hidden for anon sessions if they don't have a value set
  • custom fields are hidden if they are hidden in the product

BMO Extension Requirements

Other Extension Requirements

• SecureMail
  • Users can upload their public GPG key or SMIME certificate using a form in the Bugzilla user preferences.
  • If a bug that is marked to any specific security groups sends an email notification, the email is encrypted with each user's public key.
  • The user can then decrypt the message using their private key through their email client.
  • Also user's who request their password to be changed who are members of specific security groups, the email with the change token will be encrypted as well.
• TypeSniffer
• ComponentWatching
• Profanivore
• Splinter
• BzAPI

Test Plan

- Test additional text included by templates. Just read through the diff for such occurrences and load the appropriate page.

- Making versions, components and milestones inactive and active again (and checking this stops them showing up in various places).

- Quicksearch for our status-related custom fields.

- config.cgi JSON output.

- Custom fields being visible or not visible in the appropriate products and components, as defined in Data.pm

- Buglist sorting works fine, even for dates, severities etc.

- It's possible for even unprivileged users to file bugs into security groups.

- Bugs filed end up in the correct security group when the "secure" checkbox is checked.

- Security group gets emailed when bugs are a) filed in, b) added to and c) removed from the relevant group.

- Bogus addresses like foo@bar.bugs don't get email, even if it's enabled in their preferences.

- Check that only members of the appropriate groups can set various fields, as defined in Data.pm.

- UUIDs, CVEs and SVN versions are correctly auto-linked.

- File bugs using the following specialist formats:

 - mktgevent
 - swag
 - brownbag
 - itrequest
 - legal
 - mozpr
 - poweredby
 - presentation
 - trademark
 

- Including loading them as e.g. http://site/form.itrequest

- Load page.cgi?id=upgrade-3.6.html and check for bzr output at the bottom.

Pending Tasks

List of tasks still to be done for this project.

To Do

- Upstream hook in template/en/default/index.html.tmpl

- Fix additional bugs as filed in b.m.o.

- Fix template/en/default/global/choose-product.html.tmpl to work better (and be a patch on top of the original)

- Fix Bugzilla Helper to suck a bit less

- Write and execute test plan

- make sure sanitizeme.pl still works

Bugs Fixed

After Release

There are several additional extensions people want:

- Update Splinter (code review extension) to work with 4.0 and turn it on https://bugzilla.mozilla.org/show_bug.cgi?id=570786 Security review: https://bugzilla.mozilla.org/show_bug.cgi?id=578573 Upstream Splinter hasn't changed for a year; will need to submit patches back.

- Update Securemail to work with 4.0 Note: it has its own repo I've put in some (all?) of the hooks it will need; code which ties into some of the custom hooks it uses in 3.6 can perhaps be rewritten to use new hook in core. May also need security review... https://bugzilla.mozilla.org/show_bug.cgi?id=190945

- Pulse integration https://bugzilla.mozilla.org/show_bug.cgi?id=589322

Notes

Patch has been applied from bug 77193 to make it possible to make versions, milestones and components inactive. This code is in 4.2 and so won't be needed for the next version upgrade. Also, the migration code in the install_update_db hook can go.

Current Issues

List of current know issues that will be fixed before final release.

Failing Test Cases

• test_flags.t #302 - Flag type non editable by powerless users
• test_flags2.t #240 - Flag type 'selenium' not editable by powerless users
• test_shared_searches.t #138 - The 'helpwanted' query is not shared with this user
  • canconfirm regex is set to .*, which causes this test to fail
  • testcase has been disabled
• test_show_all_products.t #42 - get_title, 'Enter Bug: QA-Selenium-TEST'
  • testcase doesn't support bmo's "other products" page
  • bmo extension doesn't support classifications (should pass classification param through)
• test_sudo_sessions.t #36 - get_title, 'Match Failed'
  • usevisibilitygroups broken?