httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pier Fumagalli <>
Subject Re: Use of Bugzilla?
Date Tue, 26 Feb 2002 17:11:53 GMT
"Marc Slemko" <> wrote:

> We went through this whole exercise before, but it was dropped for two
> main reasons: security nightmare and lack of effort giving to
> replicating gnats features that many people have become used to and
> really like, in the bugzilla environment.

For security, on my installation, there shouldn't be much to worry about. As
I said, BugZilla is not installed on any primary machine (icarus/daedalus),
and it's basically safe over on nagoya. It's vulnerable only to attacks to
itself (like a bugzilla client wiping out the database if another bug in
bugzilla allows the execution of random SQL statements). But it's backed up
every night and in case that happened, it's fairly easy to restore data in

Regarding exploits TO the system THRU bugzilla, I would doubt there are...
Both the MySQL and Apache processes are running as disabled users, MySQL is
running in a chrooted environment, and CGIs are SU-id executed (yeah, really
wanted to be able to run those CHROOTED as well, but still didn't manage to
get thru it).

> One major problem is that how it is (was?) setup, it is impossible
> to get automated email notifications of changes to all bugs, ie. like
> the apache-bugdb mailing list.

On how the bug tracking DB is set up right now, emails are sent straight to
the different lists (check out the tomcat-dev mailing list, for example, 90%
of the traffic is FROM bugzilla itself). Plus there is a nice once-a-week
summary coming out to the list as well...

> I'm not saying the issues can't be addressed with bugzilla, but simply
> saying "ok, looks good, lets use it" without carefully considering
> how it is setup and used, and how to duplicate the necessary set of
> gnats functionality that bugzilla doesn't supply by default, is not
> going to work.

BugZilla sucks (we all know it), but it's working fine for all other Apache
projects (well, Jakarta and XML so far). FWIW I find GNATS way too
complicated and currently unmanaged (so, if I find what I think is a bug I
usually call up David Reid or post a message around here), the effort to
move HTTPD and (maybe) APR over to the other system is minimal, so IMO (but
again, I don't count as I'm not a committer), that would be a wise choice...


View raw message