2.1.1. Perl

Installed Version Test: perl -v

Any machine that doesn't have Perl on it is a sad machine indeed. If you don't have it and your OS doesn't provide official packages, visit http://www.perl.com. Although Bugzilla runs with Perl 5.8.0, it's a good idea to be using the latest stable version.

2.1.2. Database Engine

From Bugzilla 2.20, support is included for using both the MySQL and PostgreSQL database servers. You only require one of these systems to make use of Bugzilla.

---

2.1.2.1. MySQL

Installed Version Test: mysql -V

If you don't have it and your OS doesn't provide official packages, visit http://www.mysql.com. You need MySQL version 4.0.14 or higher.

Many of the binary versions of MySQL store their data files in /var. On some Unix systems, this is part of a smaller root partition, and may not have room for your bug database. To change the data directory, you have to build MySQL from source yourself, and set it as an option to configure.

If you install from something other than a packaging/installation system, such as .rpm (Redhat Package), .deb (Debian Package), .exe (Windows Executable), or .msi (Microsoft Installer), make sure the MySQL server is started when the machine boots.

2.1.3. Web Server

Installed Version Test: view the default welcome page at http://<your-machine>/

You have freedom of choice here, pretty much any web server that is capable of running CGI scripts will work. However, we strongly recommend using the Apache web server (either 1.3.x or 2.x), and the installation instructions usually assume you are using it. If you have got Bugzilla working using another webserver, please share your experiences with us by filing a bug in Bugzilla Documentation.

If you don't have Apache and your OS doesn't provide official packages, visit http://httpd.apache.org/.

2.1.4. Bugzilla

Download a Bugzilla tarball (or check it out from CVS) and place it in a suitable directory, accessible by the default web server user (probably "apache" or "www"). Good locations are either directly in the main web space for your web server or perhaps in /usr/local with a symbolic link from the web space.

The default Bugzilla distribution is NOT designed to be placed in a cgi-bin directory. This includes any directory which is configured using the ScriptAlias directive of Apache.

Once all the files are in a web accessible directory, make that directory writable by your webserver's user. This is a temporary step until you run the checksetup.pl script, which locks down your installation.

2.1.5. Perl Modules

Bugzilla's installation process is based on a script called checksetup.pl. The first thing it checks is whether you have appropriate versions of all the required Perl modules. The aim of this section is to pass this check. When it passes, proceed to Section 2.2.

At this point, you need to su to root. You should remain as root until the end of the install. To check you have the required modules, run:

bash# ./checksetup.pl --check-modules

checksetup.pl will print out a list of the required and optional Perl modules, together with the versions (if any) installed on your machine. The list of required modules is reasonably long; however, you may already have several of them installed.

There is a meta-module called Bundle::Bugzilla, which installs all the other modules with a single command. You should use this if you are running Perl 5.6.1 or above.

The preferred way of installing Perl modules is via CPAN on Unix, or PPM on Windows (see Section 2.5.1.2). These instructions assume you are using CPAN; if for some reason you need to install the Perl modules manually, see Appendix D.

bash# perl -MCPAN -e 'install "<modulename>"'

If you using Bundle::Bugzilla, invoke the magic CPAN command on it. Otherwise, you need to work down the list of modules that checksetup.pl says are required, in the order given, invoking the command on each.

Many people complain that Perl modules will not install for them. Most times, the error messages complain that they are missing a file in "@INC". Virtually every time, this error is due to permissions being set too restrictively for you to compile Perl modules or not having the necessary Perl development libraries installed on your system. Consult your local UNIX systems administrator for help solving these permissions issues; if you are the local UNIX sysadmin, please consult the newsgroup/mailing list for further assistance or hire someone to help you out.

If you are using a package-based system, and attempting to install the Perl modules from CPAN, you may need to install the "development" packages for MySQL and GD before attempting to install the related Perl modules. The names of these packages will vary depending on the specific distribution you are using, but are often called <packagename>-devel.

Here is a complete list of modules and their minimum versions. Some modules have special installation notes, which follow.

Required Perl modules:

1. CGI 2.93 or CGI 3.11 if using mod_perl

2. Date::Format (2.21)

3. DBI (1.41)

4. DBD::mysql (2.9003) if using MySQL

5. DBD::Pg (1.45) if using PostgreSQL

6. File::Spec (0.84)

7. Template (2.12)

8. Mail::Mailer (1.67)

9. MIME::Base64 (3.01)

10. MIME::Parser (5.406)

1. GD (1.20) for bug charting

2. Chart::Base (1.0) for bug charting

3. GD::Graph (any) for bug charting

4. GD::Text::Align (any) for bug charting

5. XML::Twig (any) for the XML interface

6. SOAP::Lite (any) for the web service interface

7. PatchReader (0.9.4) for pretty HTML view of patches

8. Image::Magick (any) for converting BMP image attachments to PNG

---

2.1.5.3. GD (1.20)

The GD module is only required if you want graphical reports.

The Perl GD module requires some other libraries that may or may not be installed on your system, including libpng and libgd. The full requirements are listed in the Perl GD module README. If compiling GD fails, it's probably because you're missing a required library.

The version of the GD module you need is very closely tied to the libgd version installed on your system. If you have a version 1.x of libgd the 2.x versions of the GD module won't work for you.

2.1.6. Mail Transfer Agent (MTA)

Bugzilla is dependent on the availability of an e-mail system for its user authentication and for other tasks.

This is not entirely true. It is possible to completely disable email sending, or to have Bugzilla store email messages in a file instead of sending them. However, this is mainly intended for testing, as disabling or diverting email on a production machine would mean that users could miss important events (such as bug changes or the creation of new accounts). For more information, see the "maildeliverymethod" parameter in Section 3.1.

On Linux, any Sendmail-compatible MTA (Mail Transfer Agent) will suffice. Sendmail, Postfix, qmail and Exim are examples of common MTAs. Sendmail is the original Unix MTA, but the others are easier to configure, and therefore many people replace Sendmail with Postfix or Exim. They are drop-in replacements, so Bugzilla will not distinguish between them.

If you are using Sendmail, version 8.7 or higher is required. If you are using a Sendmail-compatible MTA, it must be congruent with at least version 8.7 of Sendmail.

Consult the manual for the specific MTA you choose for detailed installation instructions. Each of these programs will have their own configuration files where you must configure certain parameters to ensure that the mail is delivered properly. They are implemented as services, and you should ensure that the MTA is in the auto-start list of services for the machine.

If a simple mail sent with the command-line 'mail' program succeeds, then Bugzilla should also be fine.

2.1.7. Installing Bugzilla on mod_perl

It is now possible to run the Bugzilla software under mod_perl on Apache. mod_perl has some additional requirements to that of running Bugzilla under mod_cgi (the standard and previous way).

Bugzilla requires mod_perl to be installed, which can be obtained from http://perl.apache.org - Bugzilla requires version 1.999022 (AKA 2.0.0-RC5) to be installed.

Bugzilla also requires a more up-to-date version of the CGI perl module to be installed, version 3.11 as opposed to 2.93

Finally, Bugzilla also requires Apache::DBI (0.96) to be installed as well.

2.2.1. localconfig

You should now run checksetup.pl again, this time without the --check-modules switch.

bash# ./checksetup.pl

This time, checksetup.pl should tell you that all the correct modules are installed and will display a message about, and write out a file called, localconfig. This file contains the default settings for a number of Bugzilla parameters.

Load this file in your editor. The only value you need to change is $db_pass, the password for the user you will create for your database. Pick a strong password (for simplicity, it should not contain single quote characters) and put it here.

You may need to change the value of webservergroup if your web server does not run in the "apache" group. On Debian, for example, Apache runs in the "www-data" group. If you are going to run Bugzilla on a machine where you do not have root access (such as on a shared web hosting account), you will need to leave webservergroup empty, ignoring the warnings that checksetup.pl will subsequently display every time it in run.

The other options in the localconfig file are documented by their accompanying comments. If you have a slightly non-standard MySQL setup, you may wish to change one or more of the other "$db_*" parameters.

You may also wish to change the names of the priorities, severities, operating systems and platforms for your installation. However, you can always change these after installation has finished; if you then re-run checksetup.pl, the changes will get picked up.

2.2.2. Database Server

This section deals with configuring your database server for use with Bugzilla. Currently Section 2.2.2.1 and Section 2.2.2.2 are available.

---

2.2.2.1. MySQL

MySQL's default configuration is very insecure. Section 4.2 has some good information for improving your installation's security.

---

2.2.2.1.1. Allow large attachments

By default, MySQL will only accept packets up to 64Kb in size. If you want to have attachments larger than this, you will need to modify your /etc/my.cnf as below.

[mysqld] # Allow packets up to 1M max_allowed_packet=1M

There is also a parameter in Bugzilla called 'maxattachmentsize' (default = 1000 Kb) that controls the maximum allowable attachment size. Attachments larger than either the 'max_allowed_packet' or 'maxattachmentsize' value will not be accepted by Bugzilla.

This does not affect Big Files, attachments that are stored directly on disk instead of in the database. Their maximum size is controlled using the 'maxlocalattachment' parameter.

---

2.2.2.1.2. Allow small words in full-text indexes

By default, words must be at least four characters in length in order to be indexed by MySQL's full-text indexes. This causes a lot of Bugzilla specific words to be missed, including "cc", "ftp" and "uri".

MySQL can be configured to index those words by setting the ft_min_word_len param to the minimum size of the words to index. This can be done by modifying the /etc/my.cnf according to the example below:

[mysqld] # Allow small words in full-text indexes ft_min_word_len=2

Rebuilding the indexes can be done based on documentation found at http://www.mysql.com/doc/en/Fulltext_Fine-tuning.html.

---

2.2.2.1.3. Add a user to MySQL

You need to add a new MySQL user for Bugzilla to use. (It's not safe to have Bugzilla use the MySQL root account.) The following instructions assume the defaults in localconfig; if you changed those, you need to modify the SQL command appropriately. You will need the $db_pass password you set in localconfig in Section 2.2.1.

We use an SQL GRANT command to create a "bugs" user. This also restricts the "bugs"user to operations within a database called "bugs", and only allows the account to connect from "localhost". Modify it to reflect your setup if you will be connecting from another machine or as a different user.

Run the mysql command-line client and enter:

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass'; mysql> FLUSH PRIVILEGES;

---

2.2.2.1.4. Permit attachments table to grow beyond 4GB

By default, MySQL will limit the size of a table to 4GB. This limit is present even if the underlying filesystem has no such limit. To set a higher limit, follow these instructions.

After you have completed the rest of the installation (or at least the database setup parts), you should run the MySQL command-line client and enter the following, replacing $bugs_db with your Bugzilla database name (bugs by default):

mysql> use $bugs_db mysql> ALTER TABLE attachments AVG_ROW_LENGTH=1000000, MAX_ROWS=20000;

The above command will change the limit to 20GB. Mysql will have to make a temporary copy of your entire table to do this. Ideally, you should do this when your attachments table is still small.

This does not affect Big Files, attachments that are stored directly on disk instead of in the database.

 bash# su - postgres

 bash$ createuser -U postgres -dAP bugs

2.2.3. checksetup.pl

Next, rerun checksetup.pl. It reconfirms that all the modules are present, and notices the altered localconfig file, which it assumes you have edited to your satisfaction. It compiles the UI templates, connects to the database using the 'bugs' user you created and the password you defined, and creates the 'bugs' database and the tables therein.

After that, it asks for details of an administrator account. Bugzilla can have multiple administrators - you can create more later - but it needs one to start off with. Enter the email address of an administrator, his or her full name, and a suitable Bugzilla password.

checksetup.pl will then finish. You may rerun checksetup.pl at any time if you wish.

2.2.4. Web server

Configure your web server according to the instructions in the appropriate section. (If it makes a difference in your choice, the Bugzilla Team recommends Apache.) Regardless of which webserver you are using, however, ensure that sensitive information is not remotely available by properly applying the access controls in Section 4.3.1. You can run testserver.pl to check if your web server serves Bugzilla files as expected.

---

2.2.4.1. Bugzilla using Apache

You have two options for running Bugzilla under Apache - mod_cgi (the default) and mod_perl (new in Bugzilla 2.23)

---

2.2.4.1.1. Apache httpd with mod_cgi

To configure your Apache web server to work with Bugzilla while using mod_cgi, do the following:

1. Load httpd.conf in your editor. In Fedora and Red Hat Linux, this file is found in /etc/httpd/conf.

2. Apache uses <Directory> directives to permit fine-grained permission setting. Add the following lines to a directive that applies to the location of your Bugzilla installation. (If such a section does not exist, you'll want to add one.) In this example, Bugzilla has been installed at /var/www/html/bugzilla.

   <Directory /var/www/html/bugzilla> AddHandler cgi-script .cgi Options +Indexes +ExecCGI DirectoryIndex index.cgi AllowOverride Limit </Directory>

   These instructions: allow apache to run .cgi files found within the bugzilla directory; instructs the server to look for a file called index.cgi if someone only types the directory name into the browser; and allows Bugzilla's .htaccess files to override global permissions.

   It is possible to make these changes globally, or to the directive controlling Bugzilla's parent directory (e.g. <Directory /var/www/html/>). Such changes would also apply to the Bugzilla directory... but they would also apply to many other places where they may or may not be appropriate. In most cases, including this one, it is better to be as restrictive as possible when granting extra access.

3. checksetup.pl can set tighter permissions on Bugzilla's files and directories if it knows what group the webserver runs as. Find the Group line in httpd.conf, place the value found there in the $webservergroup variable in localconfig, then rerun checksetup.pl.

4. Optional: If Bugzilla does not actually reside in the webspace directory, but instead has been symbolically linked there, you will need to add the following to the Options line of the Bugzilla <Directory> directive (the same one as in the step above):

   +FollowSymLinks

   Without this directive, Apache will not follow symbolic links to places outside its own directory structure, and you will be unable to run Bugzilla.

---

2.2.4.1.2. Apache httpd with mod_perl

Some configuration is required to make Bugzilla work with Apache and mod_perl

1. Load httpd.conf in your editor. In Fedora and Red Hat Linux, this file is found in /etc/httpd/conf.

2. Add the following information to your httpd.conf file, substituting where appropriate with your own local paths.

   This should be used instead of the <Directory> block shown above. This should also be above any other mod_perl directives within the httpd.conf and must be specified in the order as below.

   You should also ensure that you have disabled KeepAlive support in your Apache install when utilizing Bugzilla under mod_perl

   PerlSwitches -I/var/www/html/bugzilla -w -T PerlConfigRequire /var/www/html/bugzilla/mod_perl.pl

3. checksetup.pl can set tighter permissions on Bugzilla's files and directories if it knows what group the webserver runs as. Find the Group line in httpd.conf, place the value found there in the $webservergroup variable in localconfig, then rerun checksetup.pl.

On restarting Apache, Bugzilla should now be running within the mod_perl environment. Please ensure you have run checksetup.pl to set permissions before you restart Apache.

Please bear the following points in mind when looking at using Bugzilla under mod_perl: mod_perl support in Bugzilla can take up a HUGE amount of RAM. You could be lookng at 30MB per httpd child, easily. Basically, you just need a lot of RAM. The more RAM you can get, the better. mod_perl is basically trading RAM for speed. At least 2GB total system RAM is recommended for running Bugzilla under mod_perl. Under mod_perl, you have to restart Apache if you make any manual change to any Bugzilla file. You can't just reload--you have to actually restart the server (as in make sure it stops and starts again). You can change localconfig and the params file manually, if you want, because those are re-read every time you load a page. You must run in Apache's Prefork MPM (this is the default). The Worker MPM may not work--we haven't tested Bugzilla's mod_perl support under threads. (And, in fact, we're fairly sure it won't work.) Bugzilla generally expects to be the only mod_perl application running on your entire server. It may or may not work if there are other applications also running under mod_perl. It does try its best to play nice with other mod_perl applications, but it still may have conflicts. It is recommended that you have one Bugzilla instance running under mod_perl on your server. Bugzilla has not been tested with more than one instance running.

---

2.2.4.2. Microsoft Internet Information Services

If you are running Bugzilla on Windows and choose to use Microsoft's Internet Information Services or Personal Web Server you will need to perform a number of other configuration steps as explained below. You may also want to refer to the following Microsoft Knowledge Base articles: 245225 "HOW TO: Configure and Test a PERL Script with IIS 4.0, 5.0, and 5.1" (for Internet Information Services) and 231998 "HOW TO: FP2000: How to Use Perl with Microsoft Personal Web Server on Windows 95/98" (for Personal Web Server).

You will need to create a virtual directory for the Bugzilla install. Put the Bugzilla files in a directory that is named something other than what you want your end-users accessing. That is, if you want your users to access your Bugzilla installation through "http://<yourdomainname>/Bugzilla", then do not put your Bugzilla files in a directory named "Bugzilla". Instead, place them in a different location, and then use the IIS Administration tool to create a Virtual Directory named "Bugzilla" that acts as an alias for the actual location of the files. When creating that virtual directory, make sure you add the "Execute (such as ISAPI applications or CGI)" access permission.

You will also need to tell IIS how to handle Bugzilla's .cgi files. Using the IIS Administration tool again, open up the properties for the new virtual directory and select the Configuration option to access the Script Mappings. Create an entry mapping .cgi to:

<full path to perl.exe >\perl.exe -x<full path to Bugzilla> -wT "%s" %s

For example:

c:\perl\bin\perl.exe -xc:\bugzilla -wT "%s" %s

The ActiveState install may have already created an entry for .pl files that is limited to "GET,HEAD,POST". If so, this mapping should be removed as Bugzilla's .pl files are not designed to be run via a webserver.

IIS will also need to know that the index.cgi should be treated as a default document. On the Documents tab page of the virtual directory properties, you need to add index.cgi as a default document type. If you wish, you may remove the other default document types for this particular virtual directory, since Bugzilla doesn't use any of them.

Also, and this can't be stressed enough, make sure that files such as localconfig and your data directory are secured as described in Section 4.3.1.

2.2.5. Bugzilla

Your Bugzilla should now be working. Access http://<your-bugzilla-server>/ - you should see the Bugzilla front page. If not, consult the Troubleshooting section, Appendix B.

The URL above may be incorrect if you installed Bugzilla into a subdirectory or used a symbolic link from your web site root to the Bugzilla directory.

Log in with the administrator account you defined in the last checksetup.pl run. You should go through the parameters on the Edit Parameters page (see link in the footer) and see if there are any you wish to change. They key parameters are documented in Section 3.1; you should certainly alter maintainer and urlbase; you may also want to alter cookiepath or requirelogin.

This would also be a good time to revisit the localconfig file and make sure that the names of the priorities, severities, platforms and operating systems are those you wish to use when you start creating bugs. Remember to rerun checksetup.pl if you change it.

Bugzilla has several optional features which require extra configuration. You can read about those in Section 2.3.

2.3.1. Bug Graphs

If you have installed the necessary Perl modules you can start collecting statistics for the nifty Bugzilla graphs.

bash# crontab -e

This should bring up the crontab file in your editor. Add a cron entry like this to run collectstats.pl daily at 5 after midnight:

5 0 * * * cd <your-bugzilla-directory> ; ./collectstats.pl

After two days have passed you'll be able to view bug graphs from the Reports page.

When upgrading Bugzilla, this format may change. To create new status data, (re)move old data and run the following commands:

        bash$
        cd <your-bugzilla-directory>
        bash$
        ./collectstats.pl --regenerate
      

Windows does not have 'cron', but it does have the Task Scheduler, which performs the same duties. There are also third-party tools that can be used to implement cron, such as nncron.

2.3.2. Dependency Charts

As well as the text-based dependency trees, Bugzilla also supports a graphical view of dependency relationships, using a package called 'dot'. Exactly how this works is controlled by the 'webdotbase' parameter, which can have one of three values:

1. A complete file path to the command 'dot' (part of GraphViz) will generate the graphs locally

2. A URL prefix pointing to an installation of the webdot package will generate the graphs remotely

3. A blank value will disable dependency graphing.

The easiest way to get this working is to install GraphViz. If you do that, you need to enable server-side image maps in Apache. Alternatively, you could set up a webdot server, or use the AT&T public webdot server. This is the default for the webdotbase param, but it's often overloaded and slow. Note that AT&T's server won't work if Bugzilla is only accessible using HARTS. Editor's note: What the heck is HARTS? Google doesn't know...

2.3.3. The Whining Cron

What good are bugs if they're not annoying? To help make them more so you can set up Bugzilla's automatic whining system to complain at engineers which leave their bugs in the NEW or REOPENED state without triaging them.

This can be done by adding the following command as a daily crontab entry, in the same manner as explained above for bug graphs. This example runs it at 12.55am.

55 0 * * * cd <your-bugzilla-directory> ; ./whineatnews.pl

Windows does not have 'cron', but it does have the Task Scheduler, which performs the same duties. There are also third-party tools that can be used to implement cron, such as nncron.

2.3.4. Whining

As of Bugzilla 2.20, users can configure Bugzilla to regularly annoy them at regular intervals, by having Bugzilla execute saved searches at certain times and emailing the results to the user. This is known as "Whining". The process of configuring Whining is described in Section 6.13, but for it to work a Perl script must be executed at regular intervals.

This can be done by adding the following command as a daily crontab entry, in the same manner as explained above for bug graphs. This example runs it every 15 minutes.

*/15 * * * * cd <your-bugzilla-directory> ; ./whine.pl

Whines can be executed as often as every 15 minutes, so if you specify longer intervals between executions of whine.pl, some users may not be whined at as often as they would expect. Depending on the person, this can either be a very Good Thing or a very Bad Thing.

Windows does not have 'cron', but it does have the Task Scheduler, which performs the same duties. There are also third-party tools that can be used to implement cron, such as nncron.

2.3.5. Patch Viewer

Patch Viewer is the engine behind Bugzilla's graphical display of code patches. You can integrate this with copies of the cvs, lxr and bonsai tools if you have them, by giving the locations of your installation of these tools in editparams.cgi.

Patch Viewer also optionally will use the cvs, diff and interdiff command-line utilities if they exist on the system. Interdiff can be obtained from http://cyberelk.net/tim/patchutils/. If these programs are not in the system path, you can configure their locations in localconfig.

2.3.6. LDAP Authentication

LDAP authentication is a module for Bugzilla's plugin authentication architecture.

The existing authentication scheme for Bugzilla uses email addresses as the primary user ID, and a password to authenticate that user. All places within Bugzilla where you need to deal with user ID (e.g assigning a bug) use the email address. The LDAP authentication builds on top of this scheme, rather than replacing it. The initial log in is done with a username and password for the LDAP directory. Bugzilla tries to bind to LDAP using those credentials, and if successful, try to map this account to a Bugzilla account. If a LDAP mail attribute is defined, the value of this attribute is used, otherwise emailsuffix parameter is appended to LDAP username to form a full email address. If an account for this address already exists in your Bugzilla system, it will log in to that account. If no account for that email address exists, one is created at the time of login. (In this case, Bugzilla will attempt to use the "displayName" or "cn" attribute to determine the user's full name.) After authentication, all other user-related tasks are still handled by email address, not LDAP username. You still assign bugs by email address, query on users by email address, etc.

Because the Bugzilla account is not created until the first time a user logs in, a user who has not yet logged is unknown to Bugzilla. This means they cannot be used as an assignee or QA contact (default or otherwise), added to any cc list, or any other such operation. One possible workaround is the bugzilla_ldapsync.rb script in the contrib directory. Another possible solution is fixing bug 201069.

Parameters required to use LDAP Authentication:

2.3.7. Serving Alternate Formats with the right MIME type

Some Bugzilla pages have alternate formats, other than just plain HTML. In particular, a few Bugzilla pages can output their contents as either XUL (a special Mozilla format, that looks like a program GUI) or RDF (a type of structured XML that can be read by various programs).

In order for your users to see these pages correctly, Apache must send them with the right MIME type. To do this, add the following lines to your Apache configuration, either in the <VirtualHost> section for your Bugzilla, or in the <Directory> section for your Bugzilla:

AddType application/vnd.mozilla.xul+xml .xul AddType application/rdf+xml .rdf

2.5.1. Microsoft Windows

Making Bugzilla work on Windows is more difficult than making it work on Unix. For that reason, we still recommend doing so on a Unix based system such as GNU/Linux. That said, if you do want to get Bugzilla running on Windows, you will need to make the following adjustments.

---

2.5.1.2. Perl Modules on Win32

Bugzilla on Windows requires the same perl modules found in Section 2.1.5. The main difference is that windows uses PPM instead of CPAN.

C:\perl> ppm install <module name>

The best source for the Windows PPM modules needed for Bugzilla is probably the Bugzilla Test Server (aka 'Landfill'), so you should add the Landfill package repository as follows:

ppm repository add landfill http://www.landfill.bugzilla.org/ppm/

The PPM repository stores modules in 'packages' that may have a slightly different name than the module. If retrieving these modules from there, you will need to pay attention to the information provided when you run checksetup.pl as it will tell you what package you'll need to install.

If you are behind a corporate firewall, you will need to let the ActiveState PPM utility know how to get through it to access the repositories by setting the HTTP_proxy system environmental variable. For more information on setting that variable, see the ActiveState documentation.

---

2.5.1.4. Serving the web pages

As is the case on Unix based systems, any web server should be able to handle Bugzilla; however, the Bugzilla Team still recommends Apache whenever asked. No matter what web server you choose, be sure to pay attention to the security notes in Section 4.3.1. More information on configuring specific web servers can be found in Section 2.2.4.

If using Apache on windows, you can set the ScriptInterpreterSource directive in your Apache config to avoid having to modify the first line of every script to contain your path to perl perl instead of /usr/bin/perl.

2.5.2. Mac OS X

Making Bugzilla work on Mac OS X requires the following adjustments.

---

2.5.2.2. Libraries & Perl Modules on Mac OS X

Apple did not include the GD library with Mac OS X. Bugzilla needs this for bug graphs.

You can install it using a program called Fink, which is similar in nature to the CPAN installer, but installs common GNU utilities. Fink is available from http://sourceforge.net/projects/fink/.

Follow the instructions for setting up Fink. Once it's installed, you'll want to use it to install the gd2 package.

It will prompt you for a number of dependencies, type 'y' and hit enter to install all of the dependencies and then watch it work. You will then be able to use CPAN to install the GD Perl module.

To prevent creating conflicts with the software that Apple installs by default, Fink creates its own directory tree at /sw where it installs most of the software that it installs. This means your libraries and headers will be at /sw/lib and /sw/include instead of /usr/lib and /usr/include. When the Perl module config script asks where your libgd is, be sure to tell it /sw/lib.

Also available via Fink is expat. After using fink to install the expat package you will be able to install XML::Parser using CPAN. There is one caveat. Unlike recent versions of the GD module, XML::Parser doesn't prompt for the location of the required libraries. When using CPAN, you will need to use the following command sequence:

# perl -MCPAN -e'look XML::Parser' # perl Makefile.PL EXPATLIBPATH=/sw/lib EXPATINCPATH=/sw/include # make; make test; make install # exit

The look command will download the module and spawn a new shell with the extracted files as the current working directory. The exit command will return you to your original shell.

You should watch the output from these make commands, especially "make test" as errors may prevent XML::Parser from functioning correctly with Bugzilla.

2.5.3. Linux-Mandrake 8.0

Linux-Mandrake 8.0 includes every required and optional library for Bugzilla. The easiest way to install them is by using the urpmi utility. If you follow these commands, you should have everything you need for Bugzilla, and ./checksetup.pl should not complain about any missing libraries. You may already have some of these installed.

bash# urpmi perl-mysql
bash# urpmi perl-chart
bash# urpmi perl-gd
bash# urpmi perl-MailTools             
bash# urpmi apache-modules
      

2.6.1. Introduction

If you are running a *NIX OS as non-root, either due to lack of access (web hosts, for example) or for security reasons, this will detail how to install Bugzilla on such a setup. It is recommended that you read through the Section 2.1 first to get an idea on the installation steps required. (These notes will reference to steps in that guide.)

2.6.2. MySQL

You may have MySQL installed as root. If you're setting up an account with a web host, a MySQL account needs to be set up for you. From there, you can create the bugs account, or use the account given to you.

You may have problems trying to set up GRANT permissions to the database. If you're using a web host, chances are that you have a separate database which is already locked down (or one big database with limited/no access to the other areas), but you may want to ask your system administrator what the security settings are set to, and/or run the GRANT command for you. Also, you will probably not be able to change the MySQL root user password (for obvious reasons), so skip that step.

---

2.6.2.1. Running MySQL as Non-Root

2.6.2.1.1. The Custom Configuration Method

Create a file .my.cnf in your home directory (using /home/foo in this example) as follows....

[mysqld] datadir=/home/foo/mymysql socket=/home/foo/mymysql/thesock port=8081 [mysql] socket=/home/foo/mymysql/thesock port=8081 [mysql.server] user=mysql basedir=/var/lib [safe_mysqld] err-log=/home/foo/mymysql/the.log pid-file=/home/foo/mymysql/the.pid

---

2.6.2.1.2. The Custom Built Method

You can install MySQL as a not-root, if you really need to. Build it with PREFIX set to /home/foo/mysql, or use pre-installed executables, specifying that you want to put all of the data files in /home/foo/mysql/data. If there is another MySQL server running on the system that you do not own, use the -P option to specify a TCP port that is not in use.

---

2.6.2.1.3. Starting the Server

After your mysqld program is built and any .my.cnf file is in place, you must initialize the databases (ONCE).

bash$ mysql_install_db

Then start the daemon with

bash$ safe_mysql &

After you start mysqld the first time, you then connect to it as "root" and GRANT permissions to other users. (Again, the MySQL root account has nothing to do with the *NIX root account.)

You will need to start the daemons yourself. You can either ask your system administrator to add them to system startup files, or add a crontab entry that runs a script to check on these daemons and restart them if needed.

Do NOT run daemons or other services on a server without first consulting your system administrator! Daemons use up system resources and running one may be in violation of your terms of service for any machine on which you are a user!

2.6.3. Perl

On the extremely rare chance that you don't have Perl on the machine, you will have to build the sources yourself. The following commands should get your system installed with your own personal version of Perl:

        bash$
        wget http://perl.com/CPAN/src/stable.tar.gz
        bash$
        tar zvxf stable.tar.gz
        bash$
        cd perl-5.8.1 (or whatever the version of Perl is called)
        bash$
        sh Configure -de -Dprefix=/home/foo/perl
        bash$
        make && make test && make install
      

Once you have Perl installed into a directory (probably in ~/perl/bin), you'll have to change the locations on the scripts, which is detailed later on this page.

2.6.4. Perl Modules

Installing the Perl modules as a non-root user is probably the hardest part of the process. There are two different methods: a completely independant Perl with its own modules, or personal modules using the current (root installed) version of Perl. The independant method takes up quite a bit of disk space, but is less complex, while the mixed method only uses as much space as the modules themselves, but takes more work to setup.

          cpan>
          install GD
          cpan>
          install Chart::Base
          cpan>
          install MIME::Parser
        

2.6.5. HTTP Server

Ideally, this also needs to be installed as root and run under a special webserver account. As long as the web server will allow the running of *.cgi files outside of a cgi-bin, and a way of denying web access to certain files (such as a .htaccess file), you should be good in this department.

---

2.6.5.1. Running Apache as Non-Root

You can run Apache as a non-root user, but the port will need to be set to one above 1024. If you type httpd -V, you will get a list of the variables that your system copy of httpd uses. One of those, namely HTTPD_ROOT, tells you where that installation looks for its config information.

From there, you can copy the config files to your own home directory to start editing. When you edit those and then use the -d option to override the HTTPD_ROOT compiled into the web server, you get control of your own customized web server.

You will need to start the daemons yourself. You can either ask your system administrator to add them to system startup files, or add a crontab entry that runs a script to check on these daemons and restart them if needed.

Do NOT run daemons or other services on a server without first consulting your system administrator! Daemons use up system resources and running one may be in violation of your terms of service for any machine on which you are a user!

2.6.6. Bugzilla

If you had to install Perl modules as a non-root user (Section 2.6.4) or to non-standard directories, you will need to change the scripts, setting the correct location of the Perl modules:

perl -pi -e 's@use strict\;@use strict\; use lib \"/home/foo/perl/lib\"\;@' *cgi *pl Bug.pm processmail syncshadowdb

Change /home/foo/perl/lib to your personal Perl library directory. You can probably skip this step if you are using the independant method of Perl module installation.

When you run ./checksetup.pl to create the localconfig file, it will list the Perl modules it finds. If one is missing, go back and double-check the module installation from the CPAN shell, then delete the localconfig file and try again.

The one option in localconfig you might have problems with is the web server group. If you can't successfully browse to the index.cgi (like a Forbidden error), you may have to relax your permissions, and blank out the web server group. Of course, this may pose as a security risk. Having a properly jailed shell and/or limited access to shell accounts may lessen the security risk, but use at your own risk.

3.2.1. Creating the Default User

When you first run checksetup.pl after installing Bugzilla, it will prompt you for the administrative username (email address) and password for this "super user". If for some reason you delete the "super user" account, re-running checksetup.pl will again prompt you for this username and password.

If you wish to add more administrative users, add them to the "admin" group and, optionally, add edit the tweakparams, editusers, creategroups, editcomponents, and editkeywords groups to add the entire admin group to those groups.

3.2.2. Managing Other Users

---

3.2.2.3. Impersonating Users

There may be times when an administrator would like to do something as another user. The sudo feature may be used to do this.

To use the sudo feature, you must be in the bz_sudoers group. By default, all administrators are in this group.

If you have access to this feature, you may start a session by going to the Edit Users page, Searching for a user and clicking on their login. You should see a link below their login name titled "Impersonate this user". Click on the link. This will take you to a page where you will see a description of the feature and instructions for using it. After reading the text, simply enter the login of the user you would like to impersonate, provide a short message explaining why you are doing this, and press the button.

As long as you are using this feature, everything you do will be done as if you were logged in as the user you are impersonating.

The user you are impersonating will not be told about what you are doing. If you do anything that results in mail being sent, that mail will appear to be from the user you are impersonating. You should be extremely careful while using this feature.

3.8.1. A Simple Example

A developer might want to ask their manager, "Should we fix this bug before we release version 2.0?" They might want to do this for a lot of bugs, so it would be nice to streamline the process...

In Bugzilla, it would work this way:

1. The Bugzilla administrator creates a flag type called "blocking2.0" that shows up on all bugs in your product.

   It shows up on the "Show Bug" screen as the text "blocking2.0" with a drop-down box next to it. The drop-down box contains four values: an empty space, "?", "-", and "+".

2. The developer sets the flag to "?".

3. The manager sees the blocking2.0 flag with a "?" value.

4. If the manager thinks the feature should go into the product before version 2.0 can be released, he sets the flag to "+". Otherwise, he sets it to "-".

5. Now, every Bugzilla user who looks at the bug knows whether or not the bug needs to be fixed before release of version 2.0.

3.8.2. About Flags

3.8.3. Using flag requests

If a flag has been defined as 'requestable', users are allowed to set the flag's status to "?". This status indicates that someone (aka "the requester" is asking for someone else to set the flag to either "+" or "-".

If a flag has been defined as 'specifically requestable', a text box will appear next to the flag into which the requester may enter a Bugzilla username. That named person (aka "the requestee") will receive an email notifying them of the request, and pointing them to the bug/attachment in question.

If a flag has not been defined as 'specifically requestable', then no such text-box will appear. A request to set this flag cannot be made of any specific individual, but must be asked "to the wind". A requester may "ask the wind" on any flag simply by leaving the text-box blank.

3.8.4. Two Types of Flags

Flags can go in two places: on an attachment, or on a bug.

3.8.5. Administering Flags

If you have the "editcomponents" permission, you will have "Edit: ... | Flags | ..." in your page footer. Clicking on that link will bring you to the "Administer Flag Types" page. Here, you can select whether you want to create (or edit) a Bug flag, or an Attachment flag.

No matter which you choose, the interface is the same, so we'll just go over it once.

---

3.8.5.2. Deleting a Flag

When you are at the "Administer Flag Types" screen, you will be presented with a list of Bug flags and a list of Attachment Flags.

To delete a flag, click on the "Delete" link next to the flag description.

Once you delete a flag, it is gone from your Bugzilla. All the data for that flag will be deleted. Everywhere that flag was set, it will disappear, and you cannot get that data back. If you want to keep flag data, but don't want anybody to set any new flags or change current flags, unset "active" in the flag Edit form.

3.11.1. Creating Groups

To create Groups:

1. Select the "groups" link in the footer.

2. Take a moment to understand the instructions on the "Edit Groups" screen, then select the "Add Group" link.

3. Fill out the "Group", "Description", and "User RegExp" fields. "User RegExp" allows you to automatically place all users who fulfill the Regular Expression into the new group. When you have finished, click "Add".

   Users whose email addresses match the regular expression will automatically be members of the group as long as their email addresses continue to match the regular expression.

   This is a change from 2.16 where the regular expression resulted in a user acquiring permanent membership in a group. To remove a user from a group the user was in due to a regular expression in version 2.16 or earlier, the user must be explicitly removed from the group. This can easily be done by pressing buttons named 'Remove Memberships' or 'Remove Memberships included in regular expression' under the table.

   If specifying a domain in the regexp, make sure you end the regexp with a $. Otherwise, when granting access to "@mycompany\.com", you will allow access to 'badperson@mycompany.com.cracker.net'. You need to use '@mycompany\.com$' as the regexp.

4. If you plan to use this group to directly control access to bugs, check the "use for bugs" box. Groups not used for bugs are still useful because other groups can include the group as a whole.

5. After you add your new group, edit the new group. On the edit page, you can specify other groups that should be included in this group and which groups should be permitted to add and delete users from this group.

3.11.2. Assigning Users to Groups

Users can become a member of a group in several ways.

1. The user can be explicitly placed in the group by editing the user's own profile

2. The group can include another group of which the user is a member.

3. The user's email address can match a regular expression that the group specifies to automatically grant membership to the group.

3.11.3. Assigning Group Controls to Products

On the product edit page, there is a page to edit the "Group Controls" for a product. This allows you to configure how a group relates to the product. Groups may be applicable, default, and mandatory as well as used to control entry or used to make bugs in the product totally read-only unless the group restrictions are met.

For each group, it is possible to specify if membership in that group is...

1. required for bug entry,

2. Not applicable to this product(NA), a possible restriction for a member of the group to place on a bug in this product(Shown), a default restriction for a member of the group to place on a bug in this product(Default), or a mandatory restriction to be placed on bugs in this product(Mandatory).

3. Not applicable by non-members to this product(NA), a possible restriction for a non-member of the group to place on a bug in this product(Shown), a default restriction for a non-member of the group to place on a bug in this product(Default), or a mandatory restriction to be placed on bugs in this product when entered by a non-member(Mandatory).

4. required in order to make any change to bugs in this product including comments.

These controls are often described in this order, so a product that requires a user to be a member of group "foo" to enter a bug and then requires that the bug stay restricted to group "foo" at all times and that only members of group "foo" can edit the bug even if they otherwise could see the bug would have its controls summarized by...

 
foo: ENTRY, MANDATORY/MANDATORY, CANEDIT
      

3.11.4. Common Applications of Group Controls

 
Product A...
security: SHOWN/SHOWN
Product B...
security: SHOWN/SHOWN
Product C...
security: SHOWN/SHOWN
      

 
Product Security...
securityworkers: DEFAULT/MANDATORY
      

Product A...
AccessA: ENTRY, MANDATORY/MANDATORY
Product B...
AccessB: ENTRY, MANDATORY/MANDATORY
      

Product A...
AccessA: ENTRY, MANDATORY/MANDATORY
Support: SHOWN/NA
Product B...
AccessB: ENTRY, MANDATORY/MANDATORY
Support: SHOWN/NA
Product Common...
Support: ENTRY, DEFAULT/MANDATORY, CANEDIT
      

3.12.1. Version Definitions

Bugzilla displays the version you are using at the top of most pages you load. It will look something like '2.16.7' or '2.18rc3' or '2.19.1+'. The first number in this series is the Major Version. This does not change very often (that is to say, almost never); Bugzilla was 1.x.x when it was first created, and went to 2.x.x when it was re-written in perl in Sept 1998. If/When the major version is changed to 3.x.x, it will signify a significant structural change and will be accompanied by much fanfare and many instructions on how to upgrade, including a revision to this page. :)

The second number in the version is called the 'minor number', and a release that changes the minor number is called a 'point release'. An even number in this position (2.14, 2.16, 2.18, 2.20, etc.) represents a stable version, while an odd number (2.17, 2.19, etc.) represents a development version. In the past, stable point releases were feature-based, coming when certain enhancements had been completed, or the Bugzilla development team felt that enough progress had been made overall. As of version 2.18, however, Bugzilla has moved to a time-based release schedule; current plans are to create a stable point release every 6 months or so after 2.18 is deployed.

The third number in the Bugzilla version represents a bugfix version. Bugfix Revisions are normally released only to address security vulnerabilities; in the future, it is likely that the Bugzilla development team will back-port bugfixes in a new point release to the old point release for a limited period. Once enough of these bugfixes have accumulated (or a new security vulnerability is identified and closed), a bugfix release will be made. As an example, 2.16.6 was a bugfix release, and improved on 2.16.5.

When reading version numbers, everything separated by a point ('.') should be read as a single number. It is not the same as decimal. 2.14 is newer than 2.8 because minor version 14 is greater than minor version 8. 2.24.11 would be newer than 2.24.9 (because bugfix 11 is greater than bugfix 9. This is confusing to some people who aren't used to dealing with software.

3.12.2. Upgrading - Methods and Procedure

There are three different ways to upgrade your installation.

1. Using CVS (Section 3.12.2.1)

2. Downloading a new tarball (Section 3.12.2.2)

3. Applying the relevant patches (Section 3.12.2.3)

Each of these options has its own pros and cons; the one that's right for you depends on how long it has been since you last installed, the degree to which you have customized your installation, and/or your network configuration. (Some discussion of the various methods of updating compared with degree and methods of local customization can be found in Section 5.2.2.)

The larger the jump you are trying to make, the more difficult it is going to be to upgrade if you have made local customizations. Upgrading from 2.18 to 2.18.1 should be fairly painless even if you are heavily customized, but going from 2.14 to 2.18 is going to mean a fair bit of work re-writing your local changes to use the new files, logic, templates, etc. If you have done no local changes at all, however, then upgrading should be approximately the same amount of work regardless of how long it has been since your version was released.

Upgrading is a one-way process. You should backup your database and current Bugzilla directory before attempting the upgrade. If you wish to revert to the old Bugzilla version for any reason, you will have to restore from these backups.

The examples in the following sections are written as though the user were updating to version 2.18.1, but the procedures are the same regardless of whether one is updating to a new point release or simply trying to obtain a new bugfix release. Also, in the examples the user's Bugzilla installation is found at /var/www/html/bugzilla. If that is not the same as the location of your Bugzilla installation, simply substitute the proper paths where appropriate.

---

3.12.2.1. Upgrading using CVS

Every release of Bugzilla, whether it is a point release or a bugfix, is tagged in CVS. Also, every tarball that has been distributed since version 2.12 has been created in such a way that it can be used with CVS once it is unpacked. Doing so, however, requires that you are able to access cvs-mirror.mozilla.org on port 2401, which may not be an option or a possibility for some users, especially those behind a highly restrictive firewall.

If you can, updating using CVS is probably the most painless method, especially if you have a lot of local changes.

The following shows the sequence of commands needed to update a Bugzilla installation via CVS, and a typical series of results.

bash$ cd /var/www/html/bugzilla bash$ cvs login Logging in to :pserver:anonymous@cvs-mirror.mozilla.org:2401/cvsroot CVS password: ('anonymous', or just leave it blank) bash$ cvs -q update -r BUGZILLA-2_18_1 -dP P checksetup.pl P collectstats.pl P globals.pl P docs/rel_notes.txt P template/en/default/list/quips.html.tmpl (etc.)

If a line in the output from cvs update begins with a C, then that represents a file with local changes that CVS was unable to properly merge. You need to resolve these conflicts manually before Bugzilla (or at least the portion using that file) will be usable.

---

3.12.2.2. Upgrading using the tarball

If you are unable (or unwilling) to use CVS, another option that's always available is to obtain the latest tarball from the Download Page and create a new Bugzilla installation from that.

This sequence of commands shows how to get the tarball from the command-line; it is also possible to download it from the site directly in a web browser. If you go that route, save the file to the /var/www/html directory (or its equivalent, if you use something else) and omit the first three lines of the example.

bash$ cd /var/www/html bash$ wget ftp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-2.18.1.tar.gz (Output omitted) bash$ tar xzvf bugzilla-2.18.1.tar.gz bugzilla-2.18.1/ bugzilla-2.18.1/.cvsignore bugzilla-2.18.1/1x1.gif (Output truncated) bash$ cd bugzilla-2.18.1 bash$ cp ../bugzilla/localconfig* . bash$ cp -r ../bugzilla/data . bash$ cd .. bash$ mv bugzilla bugzilla.old bash$ mv bugzilla-2.18.1 bugzilla

The cp commands both end with periods which is a very important detail, it tells the shell that the destination directory is the current working directory.

This upgrade method will give you a clean install of Bugzilla with the same version as the tarball. That's fine if you don't have any local customizations that you want to maintain, but if you do then you will need to reapply them by hand to the appropriate files.

It's worth noting that since 2.12, the Bugzilla tarballs come CVS-ready, so if you decide at a later date that you'd rather use CVS as an upgrade method, your code will already be set up for it.

---

3.12.2.3. Upgrading using patches

If you are doing a bugfix upgrade -- that is, one where only the last number of the revision changes, such as from 2.16.6 to 2.16.7 -- then you have the option of obtaining and applying a patch file from the Download Page. This file is made available by the Bugzilla Development Team, and is a collection of all the bug fixes and security patches that have been made since the last bugfix release. If you are planning to upgrade via patches, it is safer to grab this developer-made patch file than to read the patch notes and apply all (or even just some of) the patches oneself, as sometimes patches on bugs get changed before they get checked in.

As above, this example starts with obtaining the file via the command line. If you have already downloaded it, you can omit the first two commands.

bash$ cd /var/www/html/bugzilla bash$ wget ftp://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-2.18.0-to-2.18.1.diff.gz (Output omitted) bash$ gunzip bugzilla-2.18.0-to-2.18.1.diff.gz bash$ patch -p1 < bugzilla-2.18.0-to-2.18.1.diff patching file checksetup.pl patching file collectstats.pl patching file globals.pl (etc.)

Be aware that upgrading from a patch file does not change the entries in your CVS directory. This could make it more difficult to upgrade using CVS (Section 3.12.2.1) in the future.

3.12.3. Completing Your Upgrade

Regardless of which upgrade method you choose, you will need to run ./checksetup.pl before your Bugzilla upgrade will be complete.

bash$ cd bugzilla
bash$ ./checksetup.pl
      

The period at the beginning of the command ./checksetup.pl is important and can not be omitted.

If you have done a lot of local modifications, it wouldn't hurt to run the Bugzilla Testing suite. This is not a required step, but it isn't going to hurt anything, and might help point out some areas that could be improved. (More information on the test suite can be had by following this link to the appropriate section in the Developers' Guide.)

4.1.1. TCP/IP Ports

The TCP/IP standard defines more than 65,000 ports for sending and receiving traffic. Of those, Bugzilla needs exactly one to operate (different configurations and options may require up to 3). You should audit your server and make sure that you aren't listening on any ports you don't need to be. It's also highly recommended that the server Bugzilla resides on, along with any other machines you administer, be placed behind some kind of firewall.

4.1.2. System User Accounts

Many daemons, such as Apache's httpd or MySQL's mysqld, run as either "root" or "nobody". This is even worse on Windows machines where the majority of services run as "SYSTEM". While running as "root" or "SYSTEM" introduces obvious security concerns, the problems introduced by running everything as "nobody" may not be so obvious. Basically, if you run every daemon as "nobody" and one of them gets compromised it can compromise every other daemon running as "nobody" on your machine. For this reason, it is recommended that you create a user account for each daemon.

You will need to set the webservergroup option in localconfig to the group your webserver runs as. This will allow ./checksetup.pl to set file permissions on Unix systems so that nothing is world-writable.

4.1.3. The chroot Jail

If your system supports it, you may wish to consider running Bugzilla inside of a chroot jail. This option provides unprecedented security by restricting anything running inside the jail from accessing any information outside of it. If you wish to use this option, please consult the documentation that came with your system.

4.2.1. The MySQL System Account

As mentioned in Section 4.1.2, the MySQL daemon should run as a non-privileged, unique user. Be sure to consult the MySQL documentation or the documentation that came with your system for instructions.

4.2.2. The MySQL "root" and "anonymous" Users

By default, MySQL comes with a "root" user with a blank password and an "anonymous" user, also with a blank password. In order to protect your data, the "root" user should be given a password and the anonymous user should be disabled.

bash$ mysql mysql
mysql> UPDATE user SET password = password('new_password') WHERE user = 'root';
mysql> FLUSH PRIVILEGES;
        

bash$ mysql -u root -p mysql           
Enter Password: new_password
mysql> DELETE FROM user WHERE user = '';
mysql> FLUSH PRIVILEGES;
        

4.2.3. Network Access

If MySQL and your webserver both run on the same machine and you have no other reason to access MySQL remotely, then you should disable the network access. This, along with the suggestion in Section 4.1.1, will help protect your system from any remote vulnerabilities in MySQL.

4.3.1. Disabling Remote Access to Bugzilla Configuration Files

There are many files that are placed in the Bugzilla directory area that should not be accessable from the web. Because of the way Bugzilla is currently layed out, the list of what should and should not be accessible is rather complicated. A new installation method is currently in the works which should solve this by allowing files that shouldn't be accessible from the web to be placed in a directory outside the webroot. See bug 44659 for more information.

Bugzilla ships with the ability to create .htaccess files that enforce these rules. Instructions for enabling these directives in Apache can be found in Section 2.2.4.1

• In the main Bugzilla directory, you should:

  • Block: *.pl, *localconfig*

• In data:

  • Block everything

  • But allow: duplicates.rdf

• In data/webdot:

  • If you use a remote webdot server:

    • Block everything

    • But allow *.dot only for the remote webdot server

  • Otherwise, if you use a local GraphViz:

    • Block everything

    • But allow: *.png, *.gif, *.jpg, *.map

  • And if you don't use any dot:

    • Block everything

• In Bugzilla:

  • Block everything

• In template:

  • Block everything

Be sure to test that data that should not be accessed remotely is properly blocked. Of particular interest is the localconfig file which contains your database password. Also, be aware that many editors create temporary and backup files in the working directory and that those should also not be accessable. For more information, see bug 186383 or Bugtraq ID 6501. To test, simply point your web browser at the file; for example, to test mozilla.org's installation, we'd try to access http://bugzilla.mozilla.org/localconfig. You should get a "403 Forbidden" error.

Be sure to check Section 2.2.4 for instructions specific to the webserver you use.

4.3.2. Using mod_throttle to Prevent a DOS

This section only applies to people who have chosen the Apache webserver. It may be possible to do similar things with other webservers. Consult the documentation that came with your webserver to find out.

It is possible for a user, by mistake or on purpose, to access the database many times in a row which can result in very slow access speeds for other users (effectively, a DOS attack). If your Bugzilla installation is experiencing this problem, you may install the Apache module mod_throttle which can limit connections by IP address. You may download this module at http://www.snert.com/Software/mod_throttle/. Follow the instructions to install into your Apache install. The command you need is ThrottleClientIP. See the documentation for more information.

4.4.1. Prevent users injecting malicious Javascript

If you installed Bugzilla version 2.22 or later from scratch, then the utf8 parameter is switched on by default. This makes Bugzilla explicitly set the character encoding, following a CERT advisory recommending exactly this. The following therefore does not apply to you; just keep utf8 turned on.

If you've upgraded from an older version, then it may be possible for a Bugzilla user to take advantage of character set encoding ambiguities to inject HTML into Bugzilla comments. This could include malicious scripts. This is because due to internationalization concerns, we are unable to turn the utf8 parameter on by default for upgraded installations. Turning it on manually will prevent this problem.

5.2.1. Template Directory Structure

The template directory structure starts with top level directory named template, which contains a directory for each installed localization. The next level defines the language used in the templates. Bugzilla comes with English templates, so the directory name is en, and we will discuss template/en throughout the documentation. Below template/en is the default directory, which contains all the standard templates shipped with Bugzilla.

A directory data/templates also exists; this is where Template Toolkit puts the compiled versions of the templates from either the default or custom directories. Do not directly edit the files in this directory, or all your changes will be lost the next time Template Toolkit recompiles the templates.

5.2.2. Choosing a Customization Method

If you want to edit Bugzilla's templates, the first decision you must make is how you want to go about doing so. There are two choices, and which you use depends mainly on the scope of your modifications, and the method you plan to use to upgrade Bugzilla.

The first method of making customizations is to directly edit the templates found in template/en/default. This is probably the best way to go about it if you are going to be upgrading Bugzilla through CVS, because if you then execute a cvs update, any changes you have made will be merged automagically with the updated versions.

If you use this method, and CVS conflicts occur during an update, the conflicted templates (and possibly other parts of your installation) will not work until they are resolved.

The second method is to copy the templates to be modified into a mirrored directory structure under template/en/custom. Templates in this directory structure automatically override any identically-named and identically-located templates in the default directory.

The custom directory does not exist at first and must be created if you want to use it.

The second method of customization should be used if you use the overwriting method of upgrade, because otherwise your changes will be lost. This method may also be better if you are using the CVS method of upgrading and are going to make major changes, because it is guaranteed that the contents of this directory will not be touched during an upgrade, and you can then decide whether to continue using your own templates, or make the effort to merge your changes into the new versions by hand.

Using this method, your installation may break if incompatible changes are made to the template interface. Such changes should be documented in the release notes, provided you are using a stable release of Bugzilla. If you use using unstable code, you will need to deal with this one yourself, although if possible the changes will be mentioned before they occur in the deprecations section of the previous stable release's release notes.

Regardless of which method you choose, it is recommended that you run ./checksetup.pl after creating or editing any templates in the template/en/default directory, and after editing any templates in the custom directory.

It is required that you run ./checksetup.pl after creating a new template in the custom directory. Failure to do so will raise an incomprehensible error message.

5.2.3. How To Edit Templates

If you are making template changes that you intend on submitting back for inclusion in standard Bugzilla, you should read the relevant sections of the Developers' Guide.

The syntax of the Template Toolkit language is beyond the scope of this guide. It's reasonably easy to pick up by looking at the current templates; or, you can read the manual, available on the Template Toolkit home page.

One thing you should take particular care about is the need to properly HTML filter data that has been passed into the template. This means that if the data can possibly contain special HTML characters such as <, and the data was not intended to be HTML, they need to be converted to entity form, i.e. &lt;. You use the 'html' filter in the Template Toolkit to do this. If you forget, you may open up your installation to cross-site scripting attacks.

Also note that Bugzilla adds a few filters of its own, that are not in standard Template Toolkit. In particular, the 'url_quote' filter can convert characters that are illegal or have special meaning in URLs, such as &, to the encoded form, i.e. %26. This actually encodes most characters (but not the common ones such as letters and numbers and so on), including the HTML-special characters, so there's never a need to HTML filter afterwards.

Editing templates is a good way of doing a "poor man's custom fields". For example, if you don't use the Status Whiteboard, but want to have a free-form text entry box for "Build Identifier", then you can just edit the templates to change the field labels. It's still be called status_whiteboard internally, but your users don't need to know that.

5.2.4. Template Formats and Types

Some CGI's have the ability to use more than one template. For example, buglist.cgi can output itself as RDF, or as two formats of HTML (complex and simple). The mechanism that provides this feature is extensible.

Bugzilla can support different types of output, which again can have multiple formats. In order to request a certain type, you can append the &ctype=<contenttype> (such as rdf or html) to the <cginame>.cgi URL. If you would like to retrieve a certain format, you can use the &format=<format> (such as simple or complex) in the URL.

To see if a CGI supports multiple output formats and types, grep the CGI for "get_format". If it's not present, adding multiple format/type support isn't too hard - see how it's done in other CGIs, e.g. config.cgi.

To make a new format template for a CGI which supports this, open a current template for that CGI and take note of the INTERFACE comment (if present.) This comment defines what variables are passed into this template. If there isn't one, I'm afraid you'll have to read the template and the code to find out what information you get.

Write your template in whatever markup or text style is appropriate.

You now need to decide what content type you want your template served as. The content types are defined in the Bugzilla/Constants.pm file in the contenttypes constant. If your content type is not there, add it. Remember the three- or four-letter tag assigned to your content type. This tag will be part of the template filename.

After adding or changing a content type, it's suitable to edit Bugzilla/Constants.pm in order to reflect the changes. Also, the file should be kept up to date after an upgrade if content types have been customized in the past.

Save the template as <stubname>-<formatname>.<contenttypetag>.tmpl. Try out the template by calling the CGI as <cginame>.cgi?format=<formatname>&ctype=<type> .

5.2.5. Particular Templates

There are a few templates you may be particularly interested in customizing for your installation.

index.html.tmpl: This is the Bugzilla front page.

global/header.html.tmpl: This defines the header that goes on all Bugzilla pages. The header includes the banner, which is what appears to users and is probably what you want to edit instead. However the header also includes the HTML HEAD section, so you could for example add a stylesheet or META tag by editing the header.

global/banner.html.tmpl: This contains the "banner", the part of the header that appears at the top of all Bugzilla pages. The default banner is reasonably barren, so you'll probably want to customize this to give your installation a distinctive look and feel. It is recommended you preserve the Bugzilla version number in some form so the version you are running can be determined, and users know what docs to read.

global/footer.html.tmpl: This defines the footer that goes on all Bugzilla pages. Editing this is another way to quickly get a distinctive look and feel for your Bugzilla installation.

global/variables.none.tmpl: This defines a list of terms that may be changed in order to "brand" the Bugzilla instance In this way, terms like "bugs" can be replaced with "issues" across the whole Bugzilla installation. The name "Bugzilla" and other words can be customized as well.

list/table.html.tmpl: This template controls the appearance of the bug lists created by Bugzilla. Editing this template allows per-column control of the width and title of a column, the maximum display length of each entry, and the wrap behaviour of long entries. For long bug lists, Bugzilla inserts a 'break' every 100 bugs by default; this behaviour is also controlled by this template, and that value can be modified here.

bug/create/user-message.html.tmpl: This is a message that appears near the top of the bug reporting page. By modifying this, you can tell your users how they should report bugs.

bug/process/midair.html.tmpl: This is the page used if two people submit simultaneous changes to the same bug. The second person to submit their changes will get this page to tell them what the first person did, and ask if they wish to overwrite those changes or go back and revisit the bug. The default title and header on this page read "Mid-air collision detected!" If you work in the aviation industry, or other environment where this might be found offensive (yes, we have true stories of this happening) you'll want to change this to something more appropriate for your environment.

bug/create/create.html.tmpl and bug/create/comment.txt.tmpl: You may not wish to go to the effort of creating custom fields in Bugzilla, yet you want to make sure that each bug report contains a number of pieces of important information for which there is not a special field. The bug entry system has been designed in an extensible fashion to enable you to add arbitrary HTML widgets, such as drop-down lists or textboxes, to the bug entry page and have their values appear formatted in the initial comment. A hidden field that indicates the format should be added inside the form in order to make the template functional. Its value should be the suffix of the template filename. For example, if the file is called create-cust.html.tmpl, then

<input type="hidden" name="format" value="cust">

should be used inside the form.

An example of this is the mozilla.org guided bug submission form. The code for this comes with the Bugzilla distribution as an example for you to copy. It can be found in the files create-guided.html.tmpl and comment-guided.html.tmpl.

So to use this feature, create a custom template for enter_bug.cgi. The default template, on which you could base it, is custom/bug/create/create.html.tmpl. Call it create-<formatname>.html.tmpl, and in it, add widgets for each piece of information you'd like collected - such as a build number, or set of steps to reproduce.

Then, create a template like custom/bug/create/comment.txt.tmpl, and call it comment-<formatname>.txt.tmpl. This template should reference the form fields you have created using the syntax [% form.<fieldname> %]. When a bug report is submitted, the initial comment attached to the bug report will be formatted according to the layout of this template.

For example, if your custom enter_bug template had a field

<input type="text" name="buildid" size="30">

and then your comment.txt.tmpl had

BuildID: [% form.buildid %]

then something like

BuildID: 20020303

would appear in the initial comment.

5.2.6. Configuring Bugzilla to Detect the User's Language

Bugzilla honours the user's Accept: HTTP header. You can install templates in other languages, and Bugzilla will pick the most appropriate according to a priority order defined by you. Many language templates can be obtained from http://www.bugzilla.org/download.html#localizations. Instructions for submitting new languages are also available from that location.

After untarring the localizations (or creating your own) in the BUGZILLA_ROOT/template directory, you must update the languages parameter to contain any localizations you'd like to permit. You may also wish to set the defaultlanguage parameter to something other than "en" if you don't want English to be the default language.

5.5.1. Bugzilla Database Basics

If you were like me, at this point you're totally clueless about the internals of MySQL, and if it weren't for this executive order from the Vice President you couldn't care less about the difference between a "bigint" and a "tinyint" entry in MySQL. I recommend you refer to the MySQL documentation . Below are the basics you need to know about the Bugzilla database. Check the chart above for more details.

1. To connect to your database:

   bash# mysql -u root

   If this works without asking you for a password, shame on you ! You should have locked your security down like the installation instructions told you to. You can find details on locking down your database in the Bugzilla FAQ in this directory (under "Security"), or more robust security generalities in the MySQL searchable documentation.

2. You should now be at a prompt that looks like this:

   mysql>

   At the prompt, if "bugs" is the name you chose in the localconfig file for your Bugzilla database, type:

   mysql use bugs;

5.6.1. Bonsai

Bonsai is a web-based tool for managing CVS, the Concurrent Versioning System . Using Bonsai, administrators can control open/closed status of trees, query a fast relational database back-end for change, branch, and comment information, and view changes made since the last time the tree was closed. Bonsai also integrates with Tinderbox, the Mozilla automated build management system.

5.6.2. CVS

CVS integration is best accomplished, at this point, using the Bugzilla Email Gateway.

Follow the instructions in this Guide for enabling Bugzilla e-mail integration. Ensure that your check-in script sends an email to your Bugzilla e-mail gateway with the subject of "[Bug XXXX]", and you can have CVS check-in comments append to your Bugzilla bug. If you want to have the bug be closed automatically, you'll have to modify the contrib/bugzilla_email_append.pl script.

There is also a CVSZilla project, based upon somewhat dated Bugzilla code, to integrate CVS and Bugzilla through CVS' ability to email. Check it out at: http://homepages.kcbbs.gen.nz/~tonyg/.

Another system capable of CVS integration with Bugzilla is Scmbug. This system provides generic integration of Source code Configuration Management with Bugtracking. Check it out at: http://freshmeat.net/projects/scmbug/.

5.6.3. Perforce SCM

You can find the project page for Bugzilla and Teamtrack Perforce integration (p4dti) at: http://www.ravenbrook.com/project/p4dti/ . "p4dti" is now an officially supported product from Perforce, and you can find the "Perforce Public Depot" p4dti page at http://public.perforce.com/public/perforce/p4dti/index.html .

Integration of Perforce with Bugzilla, once patches are applied, is seamless. Perforce replication information will appear below the comments of each bug. Be certain you have a matching set of patches for the Bugzilla version you are installing. p4dti is designed to support multiple defect trackers, and maintains its own documentation for it. Please consult the pages linked above for further information.

5.6.4. Subversion

Subversion is a free/open-source version control system, designed to overcome various limitations of CVS. Integration of Subversion with Bugzilla is possible using Scmbug, a system providing generic integration of Source Code Configuration Management with Bugtracking. Scmbug is available at http://freshmeat.net/projects/scmbug/.

5.6.5. Tinderbox/Tinderbox2

Tinderbox is a continuous-build system which can integrate with Bugzilla - see http://www.mozilla.org/projects/tinderbox for details of Tinderbox, and http://tinderbox.mozilla.org/showbuilds.cgi to see it in action.

6.5.1. Boolean Charts

Highly advanced querying is done using Boolean Charts.

The boolean charts further restrict the set of results returned by a query. It is possible to search for bugs based on elaborate combinations of criteria.

The simplest boolean searches have only one term. These searches permit the selected left field to be compared using a selectable operator to a specified value. Using the "And," "Or," and "Add Another Boolean Chart" buttons, additional terms can be included in the query, further altering the list of bugs returned by the query.

There are three fields in each row of a boolean search.

• Field: the items being searched

• Operator: the comparison operator

• Value: the value to which the field is being compared

6.8.1. Viewing Patches in Patch Viewer

The main way to view a patch in patch viewer is to click on the "Diff" link next to a patch in the Attachments list on a bug. You may also do this within the edit window by clicking the "View Attachment As Diff" button in the Edit Attachment screen.

6.8.2. Seeing the Difference Between Two Patches

To see the difference between two patches, you must first view the newer patch in Patch Viewer. Then select the older patch from the dropdown at the top of the page ("Differences between [dropdown] and this patch") and click the "Diff" button. This will show you what is new or changed in the newer patch.

6.8.3. Getting More Context in a Patch

To get more context in a patch, you put a number in the textbox at the top of Patch Viewer ("Patch / File / [textbox]") and hit enter. This will give you that many lines of context before and after each change. Alternatively, you can click on the "File" link there and it will show each change in the full context of the file. This feature only works against files that were diffed using "cvs diff".

6.8.4. Collapsing and Expanding Sections of a Patch

To view only a certain set of files in a patch (for example, if a patch is absolutely huge and you want to only review part of it at a time), you can click the "(+)" and "(-)" links next to each file (to expand it or collapse it). If you want to collapse all files or expand all files, you can click the "Collapse All" and "Expand All" links at the top of the page.

6.8.5. Linking to a Section of a Patch

To link to a section of a patch (for example, if you want to be able to give someone a URL to show them which part you are talking about) you simply click the "Link Here" link on the section header. The resulting URL can be copied and used in discussion. (Copy Link Location in Mozilla works as well.)

6.8.6. Going to Bonsai and LXR

To go to Bonsai to get blame for the lines you are interested in, you can click the "Lines XX-YY" link on the section header you are interested in. This works even if the patch is against an old version of the file, since Bonsai stores all versions of the file.

To go to LXR, you click on the filename on the file header (unfortunately, since LXR only does the most recent version, line numbers are likely to rot).

6.8.7. Creating a Unified Diff

If the patch is not in a format that you like, you can turn it into a unified diff format by clicking the "Raw Unified" link at the top of the page.

6.9.1. Autolinkification

Bugzilla comments are plain text - so typing <U> will produce less-than, U, greater-than rather than underlined text. However, Bugzilla will automatically make hyperlinks out of certain sorts of text in comments. For example, the text "http://www.bugzilla.org" will be turned into a link: http://www.bugzilla.org. Other strings which get linkified in the obvious manner are:

A corollary here is that if you type a bug number in a comment, you should put the word "bug" before it, so it gets autolinkified for the convenience of others.

6.9.2. Quicksearch

Quicksearch is a single-text-box query tool which uses metacharacters to indicate what is to be searched. For example, typing "foo|bar" into Quicksearch would search for "foo" or "bar" in the summary and status whiteboard of a bug; adding ":BazProduct" would search only in that product. You can use it to find a bug by its number or its alias, too.

You'll find the Quicksearch box in Bugzilla's footer area. On Bugzilla's front page, there is an additional Help link which details how to use it.

6.9.3. Comments

If you are changing the fields on a bug, only comment if either you have something pertinent to say, or Bugzilla requires it. Otherwise, you may spam people unnecessarily with bug mail. To take an example: a user can set up their account to filter out messages where someone just adds themselves to the CC field of a bug (which happens a lot.) If you come along, add yourself to the CC field, and add a comment saying "Adding self to CC", then that person gets a pointless piece of mail they would otherwise have avoided.

Don't use sigs in comments. Signing your name ("Bill") is acceptable, if you do it out of habit, but full mail/news-style four line ASCII art creations are not.

6.9.4. Attachments

Use attachments, rather than comments, for large chunks of ASCII data, such as trace, debugging output files, or log files. That way, it doesn't bloat the bug for everyone who wants to read it, and cause people to receive fat, useless mails.

Trim screenshots. There's no need to show the whole screen if you are pointing out a single-pixel problem.

Don't attach simple test cases (e.g. one HTML file, one CSS file and an image) as a ZIP file. Instead, upload them in reverse order and edit the referring file so that they point to the attached files. This way, the test case works immediately out of the bug.

Bugzilla stores and uses a Content-Type for each attachment (e.g. text/html). To download an attachment as a different Content-Type (e.g. application/xhtml+xml), you can override this using a 'content-type' parameter on the URL, e.g. &content-type=text/plain.

If you have a really large attachment, something that does not need to be recorded forever (as most attachments are), you can mark your attachment as a Big File, Assuming the administrator of the installation has enabled this feature. Big Files are stored directly on disk instead of in the database, and can be deleted when it is no longer needed. The maximum size of a Big File is normally larger than the maximum size of a regular attachment.

6.9.5. Dependency Tree

On the "Dependency tree" page linked from each bug page, you can see the dependency relationship from the bug as a tree structure.

You can change how much depth to show, and you can hide resolved bugs from this page. You can also collaps/expand dependencies for each bug on the tree view, using the [-]/[+] buttons that appear before its summary. This option is not available for terminal bugs in the tree (that don't have further dependencies).

6.10.1. Account Preferences

On this tab, you can change your basic account information, including your password, email address and real name. For security reasons, in order to change anything on this page you must type your current password into the "Password" field at the top of the page. If you attempt to change your email address, a confirmation email is sent to both the old and new addresses, with a link to use to confirm the change. This helps to prevent account hijacking.

6.10.2. General Preferences

This tab allows you to change several Bugzilla behavior.

• Field separator character for CSV files - This controls separator character used in CSV formatted Bug List.

• After changing bugs - This controls which bugs or no bugs are shown in the page after you changed bugs. You can select the bug you've changed this time, or the next bug of the list.

• Add individual bugs to saved searches - this controls whether you can add individual bugs to saved searches or you can't.

• When viewing a bug, show comments in this order - This controls the order of comments, you can select below:

  Initial description, comment 1, comment 2, ...

  Initial description, last comment, ..., comment 2, comment 1.

  Initial last comment, ..., comment 2, comment 1, description.

• Show a quip at the top of each bug list - This controls whether a quip will be shown on the Bug list page or not.

6.10.3. Email Preferences

This tab controls the amount of email Bugzilla sends you.

The first item on this page is marked "Users to watch". When you enter one or more comma-delineated user accounts (usually email addresses) into the text entry box, you will receive a copy of all the bugmail those users are sent (security settings permitting). This powerful functionality enables seamless transitions as developers change projects or users go on holiday.

The ability to watch other users may not be available in all Bugzilla installations. If you don't see this feature, and feel that you need it, speak to your administrator.

Each user listed in the "Users watching you" field has you listed in their "Users to watch" list and can get bugmail according to your relationship to the bug and their "Field/recipient specific options" setting.

In general, users have almost complete control over how much (or how little) email Bugzilla sends them. If you want to receive the maximum amount of email possible, click the "Enable All Mail" button. If you don't want to receive any email from Bugzilla at all, click the "Disable All Mail" button.

Your Bugzilla administrator can stop a user from receiving bugmail by adding the user's name to the data/nomail file. This is a drastic step best taken only for disabled accounts, as it overrides the user's individual mail preferences.

If you'd like to set your bugmail to something besides 'Completely ON' and 'Completely OFF', the "Field/recipient specific options" table allows you to do just that. The rows of the table define events that can happen to a bug -- things like attachments being added, new comments being made, the priority changing, etc. The columns in the table define your relationship with the bug:

• Reporter - Where you are the person who initially reported the bug. Your name/account appears in the "Reporter:" field.

• Assignee - Where you are the person who has been designated as the one responsible for the bug. Your name/account appears in the "Assigned To:" field of the bug.

• QA Contact - You are one of the designated QA Contacts for the bug. Your account appears in the "QA Contact:" text-box of the bug.

• CC - You are on the list CC List for the bug. Your account appears in the "CC:" text box of the bug.

• Voter - You have placed one or more votes for the bug. Your account appears only if someone clicks on the "Show votes for this bug" link on the bug.

Some columns may not be visible for your installation, depending on your site's configuration.

To fine-tune your bugmail, decide the events for which you want to receive bugmail; then decide if you want to receive it all the time (enable the checkbox for every column), or only when you have a certain relationship with a bug (enable the checkbox only for those columns). For example: if you didn't want to receive mail when someone added themselves to the CC list, you could uncheck all the boxes in the "CC Field Changes" line. As another example, if you never wanted to receive email on bugs you reported unless the bug was resolved, you would un-check all boxes in the "Reporter" column except for the one on the "The bug is resolved or verified" row.

Bugzilla adds the "X-Bugzilla-Reason" header to all bugmail it sends, describing the recipient's relationship (AssignedTo, Reporter, QAContact, CC, or Voter) to the bug. This header can be used to do further client-side filtering.

Two items not in the table ("Email me when someone asks me to set a flag" and "Email me when someone sets a flag I asked for") define how you want to receive bugmail with regards to flags. Their use is quite straightforward; enable the checkboxes if you want Bugzilla to send you mail under either of the above conditions.

By default, Bugzilla sends out email regardless of who made the change... even if you were the one responsible for generating the email in the first place. If you don't care to receive bugmail from your own changes, check the box marked "Only email me reports of changes made by other people".

6.10.4. Permissions

This is a purely informative page which outlines your current permissions on this installation of Bugzilla - what product groups you are in, and whether you can edit bugs or perform various administration functions.

6.11.1. Reports

A report is a view of the current state of the bug database.

You can run either an HTML-table-based report, or a graphical line/pie/bar-chart-based one. The two have different pages to define them, but are close cousins - once you've defined and viewed a report, you can switch between any of the different views of the data at will.

Both report types are based on the idea of defining a set of bugs using the standard search interface, and then choosing some aspect of that set to plot on the horizontal and/or vertical axes. You can also get a form of 3-dimensional report by choosing to have multiple images or tables.

So, for example, you could use the search form to choose "all bugs in the WorldControl product", and then plot their severity against their component to see which component had had the largest number of bad bugs reported against it.

Once you've defined your parameters and hit "Generate Report", you can switch between HTML, CSV, Bar, Line and Pie. (Note: Pie is only available if you didn't define a vertical axis, as pie charts don't have one.) The other controls are fairly self-explanatory; you can change the size of the image if you find text is overwriting other text, or the bars are too thin to see.

6.11.2. Charts

A chart is a view of the state of the bug database over time.

Bugzilla currently has two charting systems - Old Charts and New Charts. Old Charts have been part of Bugzilla for a long time; they chart each status and resolution for each product, and that's all. They are deprecated, and going away soon - we won't say any more about them. New Charts are the future - they allow you to chart anything you can define as a search.

Both charting forms require the administrator to set up the data-gathering script. If you can't see any charts, ask them whether they have done so.

An individual line on a chart is called a data set. All data sets are organised into categories and subcategories. The data sets that Bugzilla defines automatically use the Product name as a Category and Component names as Subcategories, but there is no need for you to follow that naming scheme with your own charts if you don't want to.

Data sets may be public or private. Everyone sees public data sets in the list, but only their creator sees private data sets. Only administrators can make data sets public. No two data sets, even two private ones, can have the same set of category, subcategory and name. So if you are creating private data sets, one idea is to have the Category be your username.

6.13.1. The Event

The whining system defines an "Event" as one or more queries being executed at regular intervals, with the results of said queries (if there are any) being emailed to the user. Events are created by clicking on the "Add new event" button.

Once a new event is created, the first thing to set is the "Email subject line". The contents of this field will be used in the subject line of every email generated by this event. In addition to setting a subject, space is provided to enter some descriptive text that will be included at the top of each message (to help you in understanding why you received the email in the first place).

The next step is to specify when the Event is to be run (the Schedule) and what searches are to be performed (the Queries).

6.13.2. Whining Schedule

Each whining event is associated with zero or more schedules. A schedule is used to specify when the query (specified below) is to be run. A new event starts out with no schedules (which means it will never run, as it is not scheduled to run). To add a schedule, press the "Add a new schedule" button.

Each schedule includes an interval, which you use to tell Bugzilla when the event should be run. An event can be run on certain days of the week, certain days of the month, during weekdays (defined as Monday through Friday), or every day.

Be careful if you set your event to run on the 29th, 30th, or 31st of the month, as your event may not run exactly when expected. If you want your event to run on the last day of the month, select "Last day of the month" as the interval.

Once you have specified the day(s) on which the event is to be run, you should now specify the time at which the event is to be run. You can have the event run at a certain hour on the specified day(s), or every hour, half-hour, or quarter-hour on the specified day(s).

If a single schedule does not execute an event as many times as you would want, you can create another schedule for the same event. For example, if you want to run an event on days whose numbers are divisible by seven, you would need to add four schedules to the event, setting the schedules to run on the 7th, 14th, 21st, and 28th (one day per schedule) at whatever time (or times) you choose.

If you are a member of the bz_canusewhineatothers group, then you will be presented with another option: "Mail to". Using this you can control who will receive the emails generated by this event. You can choose to send the emails to a single user (identified by email address) or a single group (identified by group name). To send to multiple users or groups, create a new schedule for each additional user/group.

6.13.3. Whining Queries

Each whining event is associated with zero or more queries. A query is a saved search that is executed on the schedule specified (see above). You start out with zero queries attached to the event (which means that the event will not run, as there will never be any results to return). To add a query, press the "Add a new query" button.

The first field to examine in your new query is the Sort field. Queries are executed, and results returned, in the order specified by the Sort field. Queries with lower Sort values will run before queries with higher Sort values.

The next field to examine is the Search field. This is where you choose the actual search that is to be run. Instead of defining search parameters here, you are asked to choose from the list of saved searches (the same list that appears at the bottom of every Bugzilla page). You are only allowed to choose from searches that you have saved yourself (the default saved search, "My Bugs", is not a valid choice). If you do not have any saved searches, you can take this opportunity to create one (see Section 6.6).

When running queries, the whining system acts as if you are the user executing the query. This means that the whining system will ignore bugs that match your query, but that you can not access.

Once you have chosen the saved search to be executed, give the query a descriptive title. This title will appear in the email, above the results of the query. If you choose "One message per bug", the query title will appear at the top of each email that contains a bug matching your query.

Finally, decide if the results of the query should be sent in a single email, or if each bug should appear in its own email.

Think carefully before checking the "One message per bug" box. If you create a query that matches thousands of bugs, you will receive thousands of emails!

6.13.4. Saving Your Changes

Once you have defined at least one schedule, and created at least one query, go ahead and "Update/Commit". This will save your Event and make it available for immediate execution.

If you ever feel like deleting your event, you may do so using the "Remove Event" button in the upper-right corner of each Event. You can also modify an existing event, so long as you "Update/Commit" after completing your modifications.