So, after the GNOME Bugzilla upgrade done by Max Kanat-Alexander / Everythingsolved, a few more changes have been made:
- Stock Responses, by Frédéric Péters.
- Patch report, by Frédéric Péters (not linked yet from browse.cgi, an example).
- Describeuser, by Frédéric Péters (not committed yet, will have a different URL due to it being an extension).
- Weekly bug summary, by Frédéric Péters (not committed yet, will also have a different URL due to being an extension).
- Uses SSL now, almost solely done by Max Kanat-Alexander.
- Lots of fixes such as NEEDINFO->UNCONFIRMED, by Max Kanat-Alexander.
- Really small bugmail change and readd attachment link, by me.
Because upstream is going to use Bzr (we already use the bzr.bugzilla.org mirror), we use Bzr as well. This makes merging and so on much easier. Anyway, the additions done by Frédéric are done as extensions. This should make it easier to use them in other Bugzilla installations. The code can be found at http://launchpad.net/bugzilla.gnome.org.
If you’re wondering what features are still missing, see the email from Max Kanat-Alexander to desktop-devel-list.
Why not storing the extensions in the bugzilla.org repo in order to let bugzilla users find them more easily?
I noticed that you fixed the attachments to be served from bugzilla-attachments.gnome.org.
That’s a good start at closing the security hole, but it would be better to use a different domain all together. While this change prevents attackers from reading cookies associated with bugzilla.gnome.org and scripting the site, it still lets me read and set cookies associated with “*.gnome.org” or “gnome.org”.
That leaves open an avenue for injecting cookies into other gnome.org web apps. Depending on how they are structured, that could be used to steal sessions.