Update on the OpenJDK Bugzilla instance.

I've recently been leading the effort to get our OpenJDK Bugzilla instance in place, and just wanted to let folks know that we're pretty close.

I took some time over the last couple days to take a snapshot of what we have and what's planned for the near and somewhat longer future.  The short story is that we'll begin by tracking contributions from OpenJDK developers who do not have push rights to the JDK 6 and 7 forests.  The next phase will expand the system to track most if not all of the OpenJDK projects under development.

The longer story is now available on the OpenJDK website.

One last point.  Until the general system is up, you should continue to submit new bug reports through the normal channel.

There's still a lot of work to be done and questions to be answered, but thought you might like to see the current status and what's being planned.


Wow, I had no idea you guys were setting up a Bugzilla for OpenJDK, that's awesome.

A few comments on the proposal:

\* I would recommend against using lighttpd, and just go with Apache. Bugzilla is not currently compatible with lighttpd, and it doesn't need the performance features of lighttpd at all. It scales excellently and massively under mod_perl with Apache.

\* I'd start off without Classifications and then see if you need them. I find the extra UI annoying if it's not necessary.

\* As far as the custom fields, you might find the open-source bug-tracking process to have less rigorous participants, and the fields might become not as useful.

\* For the future--Bugzilla is very good at keeping bugs and information confidential. After all, we use it at Mozilla, and there are few things more important to keep secure than browser bugs.

\* Also, in the future, Bugzilla may become better at handling multiple releases: https://bugzilla.mozilla.org/show_bug.cgi?id=bz-branch


Posted by Max Kanat-Alexander on February 02, 2009 at 03:21 AM PST #

Thanks Max,

Rolling this out has been a while in coming: we were hoping to have it out much earlier but I got called into a longish customer escalation.

To some points:

0. Kelly O'Hair had been mentioning Bugzilla in his blogs for a while (May 2008), although at that point, we hadn't committed to using it.

1. I've noticed no issues so far with running BZ under lighttpd in my prototype system, and been pretty happy with what I've seen so far. About the only thing I'd noticed is how .cgi's get fired off (perl -wT), but that was easy to work around. Is there something in particular we should be watching for?

2. Yes, we plan to start without Classifications. If the list of products doesn't get too long, we'll probably stay that way. Going through the extra UI menu is a hassle.

3. The data will be feeding into the Sun bugtracking systems, so we will need to be pretty rigorous, at least for the OpenJDK that will end up in bugtraq.

4. I got a note from another bugtraq developer this morning: that person told me some details about how Mozilla has modified the stock bugtraq to make it possible to track security bugs. That functionality is going to be critical in order for us to work in the open with other Non-Sun folks using a "need-to-know" model.

5. Great news! I was initially hesitant about BZ because of this limitation. I try to get some time to check out your link.

Thanks for the feedback.

Posted by Brad on February 02, 2009 at 05:46 AM PST #

Ah, I have a Google Alert for "Bugzilla", but I guess I didn't notice the other blog.

Re: lighttpd: Well, taint mode is an issue. You shouldn't be disabling that, it's a security feature. Also, mod_perl doesn't work under lighttpd, right? So you won't get nearly the same performance you'd get out of Apache.

Re: rigor -- Yes, but if you plan to deal with the volume of bugs that a typical open-source project of your scale gets, you just won't be able to implement that level of rigor without some very active (probably paid) triagers.

Mozilla's modifications to enable the security stuff are pretty minor--the security features are actually in Bugzilla itself, they just made the UI easier for bug reporters.

Everything else: Cool! :-)


Posted by Max Kanat-Alexander on February 02, 2009 at 06:12 AM PST #

Re: taint. Definitely not turning off taint. But lighttpd wanted to run perl without taint by default. Had to do some minor tweaking of the config.

Re: mod_perl/perf. That is true, AFAIK. If that becomes an issue, we'll adjust.

Re: modifications for security. Yes, I'll be looking at those this week.

Posted by Brad on February 02, 2009 at 06:25 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed

Brad currently works in the Java Security and Network Group, Java Standard Edition.


« July 2016