state of the bugdb

[Marc Slemko <ma...@znep.com>]

I think everyone agrees gnats is a PITA and lacks many of the features we
could really really really really really use in a bugs/issue tracking
system.

Right now, most committers ignore it most of the time.  Can't blame 'em,
because it sucks and isn't much use for a lot of things.

Attempts were made to move forward before, but didn't end up going
anywhere.  One of them was the bugzilla debacle.  

Is anyone currently working on doing something about this and, if so, what
is the state of the efforts?

If not, I think I could try to convince myself to drive an effort to
figure out what we need, and how we can obtain it.  There is also the
issue of other projects and what the ASF can do to provide and coordinate
things like this across projects... but right now, it may be easier to
start here.

Re: state of the bugdb

[rb...@covalent.net]

On Tue, 10 Apr 2001, Bill Stoddard wrote:

> > > Nagoya was setup specifically to be a bugzilla machine for the ASF.  It is
> > > run by Pier and somebody else, who I can't remember.  The root compromise
> > > is not a big issue, because that machine doesn't really run anything other
> > > than bugzilla.
> >
> > Errr... no. Root compromise of any machine on the internet is a BIG DEAL.
> The
> > data on the machine is only a minor part of the issue.
> >
>
> If, OTOH, you mean that a machine running only bugzilla can be secured, then I
> obviously have no problem with that.

Just replied with that comment, yes.

Ryan

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------

Re: state of the bugdb

[Bill Stoddard <bi...@wstoddard.com>]

> > Nagoya was setup specifically to be a bugzilla machine for the ASF.  It is
> > run by Pier and somebody else, who I can't remember.  The root compromise
> > is not a big issue, because that machine doesn't really run anything other
> > than bugzilla.
>
> Errr... no. Root compromise of any machine on the internet is a BIG DEAL.
The
> data on the machine is only a minor part of the issue.
>

If, OTOH, you mean that a machine running only bugzilla can be secured, then I
obviously have no problem with that.

Bill

Re: state of the bugdb

[rb...@covalent.net]

On Tue, 10 Apr 2001, Bill Stoddard wrote:

>
>
> > On Tue, 10 Apr 2001, Marc Slemko wrote:
> >
> > > On Mon, 9 Apr 2001 rbb@covalent.net wrote:
> > >
> > > >
> > > > Why don't we just use the bugzilla that is on that Sun machine?  isn't
> it
> > > > called nagoya.apache.org, or something like that?
> > >
> > > 1. we tried bugzilla before for 2.x bug reports.  result: it was used as
> > > one step in a root compromise.  Sure, having it on its own box helps
> > > things out.  But doesn't remove the concern.
> > > 2. bugzilla doesn't, out of the box, provide some of the functionality
> > > that we have now that I consider to be quite important.
> > > 3. even if those weren't issues, it has to be configured and setup in a
> > > way that lets it meet our needs and people have to know how it should be
> > > used.
> > >
> > > While I am unhappily resigned to the fact that bugzilla may, in fact, form
> > > the core of what the best solution is for us, I don't know that it is just
> > > a drop-it-in-and-run thing.
> >
> > Nagoya was setup specifically to be a bugzilla machine for the ASF.  It is
> > run by Pier and somebody else, who I can't remember.  The root compromise
> > is not a big issue, because that machine doesn't really run anything other
> > than bugzilla.
>
> Errr... no. Root compromise of any machine on the internet is a BIG DEAL. The
> data on the machine is only a minor part of the issue.

I said it unclearly.  Bugzilla was compromised on apache.org, because of
how the machine was setup.  It was setup that way, because of how many
different things it was doing.  This machine is running bugzilla, and that
is it.  The vulnerability isn't as large, because we are keeping tighter
control of what is on that box.

Plus, that machine has been up and running for a while without a problem.
That doesn't mean it is safe, but it is a good omen.

Ryan

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------

Re: state of the bugdb

[Bill Stoddard <bi...@wstoddard.com>]

> On Tue, 10 Apr 2001, Marc Slemko wrote:
>
> > On Mon, 9 Apr 2001 rbb@covalent.net wrote:
> >
> > >
> > > Why don't we just use the bugzilla that is on that Sun machine?  isn't
it
> > > called nagoya.apache.org, or something like that?
> >
> > 1. we tried bugzilla before for 2.x bug reports.  result: it was used as
> > one step in a root compromise.  Sure, having it on its own box helps
> > things out.  But doesn't remove the concern.
> > 2. bugzilla doesn't, out of the box, provide some of the functionality
> > that we have now that I consider to be quite important.
> > 3. even if those weren't issues, it has to be configured and setup in a
> > way that lets it meet our needs and people have to know how it should be
> > used.
> >
> > While I am unhappily resigned to the fact that bugzilla may, in fact, form
> > the core of what the best solution is for us, I don't know that it is just
> > a drop-it-in-and-run thing.
>
> Nagoya was setup specifically to be a bugzilla machine for the ASF.  It is
> run by Pier and somebody else, who I can't remember.  The root compromise
> is not a big issue, because that machine doesn't really run anything other
> than bugzilla.

Errr... no. Root compromise of any machine on the internet is a BIG DEAL. The
data on the machine is only a minor part of the issue.

Bill

Re: state of the bugdb

[Marc Slemko <ma...@znep.com>]

On Tue, 10 Apr 2001 rbb@covalent.net wrote:

> On Tue, 10 Apr 2001, Marc Slemko wrote:
> 
> > On Mon, 9 Apr 2001 rbb@covalent.net wrote:
> >
> > >
> > > Why don't we just use the bugzilla that is on that Sun machine?  isn't it
> > > called nagoya.apache.org, or something like that?
> >
> > 1. we tried bugzilla before for 2.x bug reports.  result: it was used as
> > one step in a root compromise.  Sure, having it on its own box helps
> > things out.  But doesn't remove the concern.
> > 2. bugzilla doesn't, out of the box, provide some of the functionality
> > that we have now that I consider to be quite important.
> > 3. even if those weren't issues, it has to be configured and setup in a
> > way that lets it meet our needs and people have to know how it should be
> > used.
> >
> > While I am unhappily resigned to the fact that bugzilla may, in fact, form
> > the core of what the best solution is for us, I don't know that it is just
> > a drop-it-in-and-run thing.
> 
> Nagoya was setup specifically to be a bugzilla machine for the ASF.  It is
> run by Pier and somebody else, who I can't remember.  The root compromise
> is not a big issue, because that machine doesn't really run anything other
> than bugzilla.

It is less of a big deal, yes.  But it still needs to be a concern.

> 
> I do realize that there are some features that bugzilla doesn't have, but
> what other piece of software does, other than GNATS?  Can we add them to
> bugzilla?

That's exactly what I propose to try to figure out.

Re: state of the bugdb

[rb...@covalent.net]

On Tue, 10 Apr 2001, Marc Slemko wrote:

> On Mon, 9 Apr 2001 rbb@covalent.net wrote:
>
> >
> > Why don't we just use the bugzilla that is on that Sun machine?  isn't it
> > called nagoya.apache.org, or something like that?
>
> 1. we tried bugzilla before for 2.x bug reports.  result: it was used as
> one step in a root compromise.  Sure, having it on its own box helps
> things out.  But doesn't remove the concern.
> 2. bugzilla doesn't, out of the box, provide some of the functionality
> that we have now that I consider to be quite important.
> 3. even if those weren't issues, it has to be configured and setup in a
> way that lets it meet our needs and people have to know how it should be
> used.
>
> While I am unhappily resigned to the fact that bugzilla may, in fact, form
> the core of what the best solution is for us, I don't know that it is just
> a drop-it-in-and-run thing.

Nagoya was setup specifically to be a bugzilla machine for the ASF.  It is
run by Pier and somebody else, who I can't remember.  The root compromise
is not a big issue, because that machine doesn't really run anything other
than bugzilla.

I do realize that there are some features that bugzilla doesn't have, but
what other piece of software does, other than GNATS?  Can we add them to
bugzilla?

Ryan

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------

Re: state of the bugdb

[Marc Slemko <ma...@znep.com>]

On Mon, 9 Apr 2001 rbb@covalent.net wrote:

> 
> Why don't we just use the bugzilla that is on that Sun machine?  isn't it
> called nagoya.apache.org, or something like that?

1. we tried bugzilla before for 2.x bug reports.  result: it was used as
one step in a root compromise.  Sure, having it on its own box helps
things out.  But doesn't remove the concern.
2. bugzilla doesn't, out of the box, provide some of the functionality
that we have now that I consider to be quite important.
3. even if those weren't issues, it has to be configured and setup in a
way that lets it meet our needs and people have to know how it should be
used.

While I am unhappily resigned to the fact that bugzilla may, in fact, form
the core of what the best solution is for us, I don't know that it is just
a drop-it-in-and-run thing.

> 
> Ryan
> 
> On Mon, 9 Apr 2001, Marc Slemko wrote:
> 
> > Ok, so I'm going to assume that no one else is working on this or knows
> > that anyone is, and I'll see if I can find the time and motivation to
> > start doing something.
> >
> > For now, "something" is just defining what we need and throwing it out for
> > feedback.
> >
> > On Wed, 4 Apr 2001, Marc Slemko wrote:
> >
> > > I think everyone agrees gnats is a PITA and lacks many of the features we
> > > could really really really really really use in a bugs/issue tracking
> > > system.
> > >
> > > Right now, most committers ignore it most of the time.  Can't blame 'em,
> > > because it sucks and isn't much use for a lot of things.
> > >
> > > Attempts were made to move forward before, but didn't end up going
> > > anywhere.  One of them was the bugzilla debacle.
> > >
> > > Is anyone currently working on doing something about this and, if so, what
> > > is the state of the efforts?
> > >
> > > If not, I think I could try to convince myself to drive an effort to
> > > figure out what we need, and how we can obtain it.  There is also the
> > > issue of other projects and what the ASF can do to provide and coordinate
> > > things like this across projects... but right now, it may be easier to
> > > start here.
> > >
> >
> >
> 
> 
> _______________________________________________________________________________
> Ryan Bloom                        	rbb@apache.org
> 406 29th St.
> San Francisco, CA 94131
> -------------------------------------------------------------------------------
> 

Re: state of the bugdb

[rb...@covalent.net]

Why don't we just use the bugzilla that is on that Sun machine?  isn't it
called nagoya.apache.org, or something like that?

Ryan

On Mon, 9 Apr 2001, Marc Slemko wrote:

> Ok, so I'm going to assume that no one else is working on this or knows
> that anyone is, and I'll see if I can find the time and motivation to
> start doing something.
>
> For now, "something" is just defining what we need and throwing it out for
> feedback.
>
> On Wed, 4 Apr 2001, Marc Slemko wrote:
>
> > I think everyone agrees gnats is a PITA and lacks many of the features we
> > could really really really really really use in a bugs/issue tracking
> > system.
> >
> > Right now, most committers ignore it most of the time.  Can't blame 'em,
> > because it sucks and isn't much use for a lot of things.
> >
> > Attempts were made to move forward before, but didn't end up going
> > anywhere.  One of them was the bugzilla debacle.
> >
> > Is anyone currently working on doing something about this and, if so, what
> > is the state of the efforts?
> >
> > If not, I think I could try to convince myself to drive an effort to
> > figure out what we need, and how we can obtain it.  There is also the
> > issue of other projects and what the ASF can do to provide and coordinate
> > things like this across projects... but right now, it may be easier to
> > start here.
> >
>
>


_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------

Re: state of the bugdb

[Marc Slemko <ma...@znep.com>]

Ok, so I'm going to assume that no one else is working on this or knows
that anyone is, and I'll see if I can find the time and motivation to
start doing something.

For now, "something" is just defining what we need and throwing it out for
feedback.

On Wed, 4 Apr 2001, Marc Slemko wrote:

> I think everyone agrees gnats is a PITA and lacks many of the features we
> could really really really really really use in a bugs/issue tracking
> system.
> 
> Right now, most committers ignore it most of the time.  Can't blame 'em,
> because it sucks and isn't much use for a lot of things.
> 
> Attempts were made to move forward before, but didn't end up going
> anywhere.  One of them was the bugzilla debacle.  
> 
> Is anyone currently working on doing something about this and, if so, what
> is the state of the efforts?
> 
> If not, I think I could try to convince myself to drive an effort to
> figure out what we need, and how we can obtain it.  There is also the
> issue of other projects and what the ASF can do to provide and coordinate
> things like this across projects... but right now, it may be easier to
> start here.
>