IRC office hours/Office hours 2013-07-16

<andre__> Welcome to the IRC office hour about Bugzilla and bug management that will take place here in the next hour!
<andre__> I plan to talk a bit about the latest stuff that has been worked on, and plans for the future.
<andre__> General info and documentation can be found on as usual.
<andre__> So who is here for the office hour? Please raise your hands and don't be shy. :)
<andre__> What I've been doing lately is shown on
<andre__> but I am going to summarize and elaborate on the most interesting latest stuff, and the plans
<andre__> So let's start with latest achievements...
<andre__> alright, after that general info, here we go:
<andre__> We have a Bugzilla admin policy now:
<andre__> in Bugzilla's configuration, the number of Bugzilla administrators has been decreased in order to improve coordination (and theoretically to have less accounts that could get hacked).
<andre__> the list of admins is as usual at the sake of transparency
<andre__> Some details, for those who care: As part of that, a dedicated Bugzilla emergency account has been created for the Operations team to block users and hide comments in case of spamming. And the ability to hide specific comments has also been made available to Bugzilla users with access to Security issues (before it could only be done by admins)
<andre__> As "Bugzilla admin" sounds very powerful and as I've created a bit of confusion ("Andre removes rights from people!!!") because I didn't explain well what "admin" means:
<andre__> All admins have been contacted before, and except for editing the Bugzilla permissions of another Bugzilla users, Bugzilla admin rights are not required for anything important, but instead a combination of other rights often works out well (the "principle of least privelege", as I was told).
<andre__> if you really want to understand "Bugzilla admin rights", I've blogged about it as a side effect: as it could also be helpful for other projects that use Bugzilla.
<andre__> Oh yes, blogging:
<andre__> Since a few weeks ago, I've been blogging weekly about some aspects of Bugzilla:
<andre__> Small hints and bits and pieces based on feedback from users and developers. I hope it's helpful.
<yuvipanda> still blogging at LET US ALL STONE HIM! :)
<andre__> yuvipanda, where else should I move? :P
<yuvipanda> clearly, facebook :)
<yuvipanda> but yeah, we don't have one similar for us
<yuvipanda> and GNOME is nice anyway
<andre__> yuvipanda, I think you should get stoned for Facebook rather ;))
<yuvipanda> and if other people don't ask questions...
<yuvipanda> andre__: any options for fixing the bugspam on #mediawiki?
<andre__> I always think that Bugzilla is a boring topic. So I don't take it too personal that there's not that many questions :D
<yuvipanda> andre__: move it to elsewhere, make it smarter (not repeating things for new bugs, batching together bugs)?
<andre__> yuvipanda, that's I guess?

  • yuvipanda clicks

<andre__> I think I'd also support moving it to #wikimedia-dev, if we consider #mediawiki a general support general.
<yuvipanda> andre__: yeah, we should. I think Chad gave up after he got yelled at....
<AzaToth> I would want to say that I think ops RT shouldn't be used for stuff which could be placed in bugzilla
<andre__> I just don't know how to push for a decision on that one, and personally I don't care enough :-/
<andre__> AzaToth, that's probably
<AzaToth> yea
<andre__> yuvipanda, so th question is really how to agree and not step on too many toes :-/
<yuvipanda> andre__: :( I don't even know whose toes were stepped on
<AzaToth> andre__: which points to a RT ticket
<yuvipanda> andre__: but I guess it isn't a technical issue, but just a community one
<andre__> AzaToth, heh, I could add you to that one as CC, but there's not much info on that one either
<AzaToth> ツ
<andre__> yuvipanda, yeah and I always wonder how to make the community decide
<andre__> AzaToth, "RT being a black hole" is definitely on my list for the next four months
<AzaToth> good
<yuvipanda> andre__: we can have an RFC on, and nobody will look at it, and then move it, and then tell people 'you could have commented on the RFC!' :)
<andre__> AzaToth: so if you haven't see any progress in, say, four months, you are free to slap me. Or make me buy you many drinks at the next conference. Or so.
<andre__> yuvipanda, if I remember correctly, the RFC is being reworked, so might be worth a shot.
<yuvipanda> hmm, that is technical RFCs, rather than these kinda ones.
<AzaToth> andre__: ddo you know if there is any bug related to that if you try to change Product for a bug, components doesn't change
<yuvipanda> but yeah. worth a try
<AzaToth> andre__: I'll hold you to that ツ
<andre__> AzaToth, yeah, current Bugzilla does not have much AJAX magic, so you get another separate page. Is that what you refer to?
<andre__> AzaToth, yes, please do! seriously.
<AzaToth> andre__: haven't actually tried to save a bug with changed Product, as I though it would fuck things up as the component would stay the same
<andre__> AzaToth, just try :P
<andre__> lets you test everything by the way
<andre__> AzaToth, if you change a Product in a bug report and click "Submit", there will be yet another separate page asking you to set the component, version and target milestone for the new product
<AzaToth> ah, didn't know
<andre__> AzaToth, the upstream ticket to do that dynacmically is
<andre__> AzaToth, be brave and try! :D
<AzaToth> oh, only 10 years old

<andre__> Alright, to get back to my weekly blogging about Bugzilla:
<andre__> if you are interested in seeing a specific topic covered, tell me! Or if you know well about some area in Bugzilla (e.g. Whining), write it. I'm happy to help!
<andre__> You can find the list of topics here: and the announcement was here:
<andre__> and I have some more topics in the backlog for the next weeks,
<andre__> and once I find some more time I plan to also get that onto
<andre__> but that's a bit more about Bugzilla in general, not Wikimedia specific
<andre__> So.....
<andre__> What has happened codewise in the last two months?
<andre__> We have a new Bugzilla frontpage, displaying some useful links: See and for the story behind.
<andre__> Furthermore, the misleading term "login" which confused a few people was replaced by "email address" in the user interface:
<andre__> And setting the "Assigned" status already when filing a new bug report got enabled, as requested by some developers:
<AzaToth> andre__: actually, I think bugzilla auth should be merged with sul
<AzaToth> so people doesn't need to generate a separate bugzilla account just to be able to file a bug
<andre__> AzaToth, "+1 if I don't have to do it". :P I'm completely clueless when it comes to that topic codewise.
<andre__> The corresponding ticket is
<AzaToth> offcourse there's a ticket ツ
<andre__> we should probably evaluate again how hard it would be after we're done with deploying SUL2 and making all user accounts global.
<andre__> I admit that I try to use Bugzilla as my public task list, though when it comes to "next quarter" plans and broader stuff I prefer to update
<andre__> Further stuff from the last two months:
<andre__> As usual I push updates to my/our Greasemonkey scripts for bugtriaging from time to time:
<andre__> and everybody can use them after installing Greasemonkey in their browser.
<andre__> It saves time!
<andre__> For example I now also use a script with some one-click common "stock" answers in some Village Pump forums on the Wikimedia wikis, for example to point people to Bugzilla
<andre__> They are all available in Git/Gerrit, and I highly appreciate feedback or contributions. Or actually anybody using them and providing feedback :D
<AzaToth> andre__: any howto do that?
<AzaToth> the greasemonkey
<andre__> AzaToth, hmm, good point.
<AzaToth> have never used grease
<andre__> in Firefox, you go to
<andre__> and install the addon.
<andre__> then you go in your browser to the script that you want to install
<andre__> and a dialog will popup asking you whether to install it and trust it
<andre__> and afterwards you can use it :)
<andre__> but I don't really know how the support in other browsers is, never tested :-/
<AzaToth> I see
<andre__> the scripts are written in JavaScript if anybody feels like hacking
<andre__> but I'd love to get feedback about them!
<andre__> and make them also more useful for others :)
<andre__> AzaToth, so if you want to give it a try and run into problems, please please let me know
<AzaToth> ok, have them installed now
<andre__> Yay, nice
<andre__> Alright. I'll drop four more things from the last two months that I consider worth mention so you know what's been going on in the bug universe, and then we can dive into the future department of this session.
<andre__> I've documented how to run Bug management IRC office hours:
<andre__> like this one. :P
<andre__> This is useful as other teams also have dedicated public bugtriage sessions sometimes, for example Runa from the Language Engineering Team. So we share some nuggets of information and don't reinvent the wheel
<andre__> I've fixed a bunch of incorrect queries and results in the "Weekly Bugzilla Report" email sent to the wikitech-l mailing list. Some funny SQL and PHP writing.
<andre__> for the records or if anybody feels like hacking away on that "Weekly Bugzilla email" on wikitech-l@, the code is in operations/puppet/templates/misc/bugzilla_report.php
<andre__> As part of housekeeping, I've retriaged open tickets in the dormant "Wiktionary tools" Bugzilla product and closed the product afterwards for new bug entry.
<andre__> The "Security" product in Bugzilla also got reorganized, same for "Parsoid" (for the latter, see ).
<andre__> While the tickets under Security are secret, the reorg was only to split the "General" component into "Core", "Extensions", and "Other", so not much for conspiracy theory lovers, sorry ;)
<andre__> and thanks to Daniel Zahn, Bugzilla administrators now regularly receive an email with a database dump of Bugzilla's "audit log" which lists the most recent taxonomy changes in Bugzilla (component or keyword additions, etc.).
<andre__> That's I think a good summary for the last two months....
<andre__> as I wrote before, I post about every 1-2 weeks what I've worked on at
<andre__> to keep things transparent.
<andre__> hopefully. :P
<andre__> Hmm. Any questions with regard to what I just wrote here? :)
<andre__> If not, I'll elaborate a bit on plans

  • andre__ plays some background elevator music, waiting for questions

<bawolff_away> andre__: you're probably not the one to ask for this, but
<andre__> doesn't matter. :P
<bawolff_away> Have we considered having more transparency in regards to security - like having a weekly report about how many open bugs are in the security component, having them transferred to a different component always the moment they're fixed, etc
<Krenair> andre__, I noticed that you assigned yourself the RT transparency bug, what do you plan to do with that?
<AzaToth> Krenair: gove me beer
<AzaToth> give*
<bawolff_away> So people could see how many security bugs are pending, how many are fixed, how many invalid (and what are the invalid ones)
<andre__> Krenair, I don't know yet myself, but we have to do something, it feels. So I guess I'm going to talk to a few people again, to evaluate technical reasons for the current setup. And probably social reasons.

  • AzaToth thinks he still has a semi-security bug open somewhere

<andre__> bawolff, hmm, I think we could just move invalid ones out of that product (and that product's restrictions)
<Krenair> My proposal would be to create a hidden area which all current tickets can be thrown into
<bawolff> andre__: I think we do that, sometimes, but not always
<Krenair> new tickets created could also go there but only if necessary
<AzaToth> bawolff: I have always felt could be regarded as a security bug

  • bawolff would like it to be some sort of policy that that always happens

<bawolff> AzaToth: perhaps, but realistically we're probably not going to change that any time soon. And its fairly public knowladge
<andre__> bawolff: shows you the number of open security tickets
<bawolff> heck enwikinews abuses it to put rdf in the page
<AzaToth> bawolff: heh
<andre__> bawolff, so not sure if we want to have also these stats in the weekly email to wikitech-l@, or whether that page is sufficient
<Krenair> AzaToth, well the ability to edit the interface comes with that issue (43646)...
<Krenair> To me the idea that we might let admins edit JS is a security vulnerability and it should be removed
<Krenair> but this is going off topic
<andre__> bawolff, I think that we should move Security tickets to become public once they are fixed, deployed, verified, and available in a tarball
<andre__> bawolff, and I think we do. Maybe not always, but that's definitely something that I can keep an eye on, plus csteipp
<andre__> bawolff, does that answer your question? :)
<andre__> (by the way, you can of course change the URL parameters of if you want some longterm stats)
<Krenair> How on earth is there 43 open security bugs...
<bawolff> andre__: basically I'd like there to be justification for "secret" bugs. There's 43 open in that component according to your link. Either not all of them really need to be secret, or we are doing horrible fixing security bugs
<bawolff> jinks :P
<andre__> how on earth are there 2100 MediaWiki bugs is the same question, I guess. :)
<bawolff> andre__: yeah, mostly does. I recognize a large part of this is something I should probably be bringing up with csteipp
<andre__> some were considered rather low priority or minor issues, and some are old and might some retesting
<AzaToth> andre__: many are tracking bugs
<Krenair> Do we have a chart of the number of security bugs over time?
<andre__> bawolff, makes sense. and feel free to invite me to such a meeting
<bawolff> I would argue that if a security bug is low priority, then it shouldn't really be a security bug
<andre__> Krenair: Yes, but I am not sure if this can be accessed by people that do not have access to such tickets
<Krenair> Just gives "The product name 'Security' is invalid or does not exist."
<andre__> it would be
<andre__> ah, yes
<Krenair> which is bullshit obviously, as we know it exists and changing the product works
<andre__> Krenair, meh. It works for me when being logged in, but I have access to Security bug reports
<andre__> Krenair: Yeah... Would you file a minor issue at ? But I guess that's more like my task
<andre__> ah well, I'll do it
<Krenair> I have access to 5 but it seems they don't count
<Krenair> I guess you need to be able to see them all by default
<andre__> being on CC list, I guess... nope
<andre__> yeah
<Krenair> Even though it only shows the number, which is no where near private information
<andre__> I wonder if using instead would create different results
<andre__> reports.cgi is deprecated upstream
<andre__> which I just remembered when I wanted to upstream this. Meh, would be WONTFIX anyway...
<Krenair> I have no idea how to use chart.cgi
<lizzard> andre_, are you coming to the bugzilla meeting tomorrow ?
<Krenair> Why do I have to select a sub-category?
<andre__> Krenair, the UI is the worst PITA I've ever experienced. And I don't think that I understand it myself.
<andre__> lizzard, yes!
<andre__> Bugzilla's chart.cgi would benefit from a good how-to.
<Krenair> If I give it a date range from 2004-01-01 to 2013-07-17 why do I get back a chart only showing 2013-06-14 to 2013-07-16?
<andre__> Errrm, yeah. Bugzilla. :)
<Krenair> There is no way that anything should be deprecated in favour of this
<andre__> Anyway, let me quickly talk about the next months in Wikimedia bug management!
<andre__> With regard to the task list and plans for next months, see
<Krenair> 2004-08-10 to 2013-07-16 also doesn't work -.-
<andre__> The biggest issue on that list is probably finding a way to puppetize Bugzilla that will be accepted by the Operations Team. See the review comments in
<andre__> (Ori was so awesome to write that patch, but it needs some changes)
<andre__> hexmode is currently trying again to create a Bugzilla Debian package at
<andre__> but it's not clear yet how to move on here to get Bugzilla properly puppetized. Which would be awesome for software updates, and for the Labs testing instance.
<andre__> Another thing on my list is introducing a PATCH_TO_REVIEW status in Bugzilla, see for the discussion behind.
<andre__> that status should get done in the next two or three weeks actually.
<andre__> and I've recently been playing a bit with Bugzilla's "Guided bug entry form" which is meant to make it easier to file good bug reports.
<Krenair> ... why would it take two or three weeks?
<andre__> maximum
<andre__> if nothing more urgent pops up, I'll do it in the next days
<andre__> however I wanted to have that done already, but... you know. Other unexpected issues in Bugzilla needed more attendance suddenly...
<Krenair> surely it's a few simple clicks in the UI that could be done right now?
<andre__> in Bugzilla it's just editing the statuses and the workflow.
<andre__> but we want proper integration with our Gerrit Notification bot
<andre__> that's the more interesting aspect
<andre__> Back to bringing the Guided bug entry form into an acceptable state: The corresponding ticket is but there's nothing visible to show yet, sorry
<andre__> only the current form which looks really bad and Mozilla-specific:
<andre__> No, you don't want to click that. ;)
<andre__> so yeah, I think that's it from my side
<andre__> I'm pretty happy there's some feedback and discussion here, thanks for that
<andre__> if something else comes to anybody's mind here, please speak up - we still got ten minutes left :)
<andre__> Heh. I guess I've talked you all over. :P
<andre__> so the plans on : Does that feel right to you?
<andre__> I think that means agreement. :)
<andre__> Alright then! Thanks everybody for the great conversation and the feedback! Highly appreciated!
<andre__> See you soon, and feel free to chat with me about anything Bugzilla or bug management related!