+***************************************
+*** The Bugzilla 2.22 Release Notes ***
+***************************************
+
+Note: These Release Notes are a DRAFT until the final release of 2.22.
+
+Table of Contents
+*****************
+
+- Introduction
+- Minimum Requirements
+ * Perl
+ * For MySQL Users
+ * For PostgreSQL Users
+ * Required Perl Modules
+ * Optional Perl Modules
+- What's New?
+ * Complete PostgreSQL Support
+ * Parameters In Sections
+ * One Codebase, Multiple Databases
+ * UTF-8 for New Installations
+ * Admins Can Impersonate Users
+ * Bug Import and Moving Improvements
+ * Adding Individual Bugs to Saved Searches
+ * Attach URLs
+ * Optional "Strict Isolation" for Groups
+ * "editcomponents" Change
+ * "shutdownhtml" Change
+ * Miscellaneous Improvements
+ * All Changes
+- Deprecated Features
+- Outstanding Issues (<======================== IMPORTANT, PLEASE READ)
+- How to Upgrade From An Older Bugzilla
+ * Steps for Upgrading
+- Code Changes Which May Affect Customizations
+ * CGI.pl is Gone
+ * Other Changes
+- Security Fixes In 2.22 Releases
+- Release Notes for Previous Versions
+
+Introduction
+************
+Bugzilla 2.22 is one of our most polished releases. We did a lot of
+small cleanups to make Bugzilla easier to use and more useful in
+many, many small ways, in addition to adding some major new features.
+
+This document contains the release notes for Bugzilla 2.22.
+In this document, recently added, changed, and removed features
+of Bugzilla are described. If you are upgrading from an older version,
+you will definitely want to read these release notes in detail, so that
+you have an idea of what has changed.
+
+If you are upgrading from a version before 2.20, also read the 2.20
+release notes (lower in this file) and any previous release notes.
+
+If you are installing a new Bugzilla, you will still want to look over
+the release notes to see if there is any particularly important
+information that affects your installation.
+
+If you would like to contribute code to Bugzilla, read our
+Contributor's Guide at:
+
+http://www.bugzilla.org/docs/contributor.html
+
+
+Minimum Requirements
+********************
+
+Perl
+----
+
+ Perl v5.6.1 (Non-Windows platforms)
+ ActiveState Perl v5.8.1 (Windows only)
+
+ Note that this is the last release of Bugzilla to support perl 5.6.x--
+ future versions will require perl 5.8.
+
+For MySQL Users
+---------------
+
+ MySQL v4.0.14 (changed from 2.20)
+ perl module: DBD::mysql v2.9003 (changed from 2.18)
+
+For PostgreSQL Users
+--------------------
+
+ PostgreSQL 7.3.x
+ perl module: DBD::Pg 1.31 (1.41 required for PostgreSQL 8+)
+
+ WARNING: DBD::Pg 1.43 has a bug which causes checksetup.pl to fail
+ and corrupt the database. If you are using DBD::Pg 1.43, downgrade
+ to 1.42 or 1.41.
+
+Required Perl Modules
+---------------------
+
+ AppConfig v1.52
+ CGI v2.93
+ Data::Dumper (any)
+ Date::Format v2.21
+ DBI v1.38
+ File::Spec v0.84
+ File::Temp (any)
+ Template Toolkit v2.08
+ Text::Wrap v2001.0131
+ Mail::Mailer v1.67 (changed from 2.20)
+ MIME::Base64 v3.01 (new in 2.22)
+ MIME::Parser v5.406 (new in 2.22)
+ Storable (any)
+
+ Note: The SMTP support in Mail::Mailer 1.73 (the most recent version)
+ is broken. The last known working version is 1.67.
+
+Optional Perl Modules
+---------------------
+
+ Chart::Base v1.0
+ GD v1.20
+ GD::Graph (any)
+ GD::Text::Align (any)
+ Net::LDAP (any)
+ PatchReader v0.9.4
+ XML::Twig (any) (new in 2.22)
+ Image::Magick (new in 2.22)
+
+
+What's New?
+***********
+
+Complete PostgreSQL Support
+---------------------------
+Bugzilla 2.20 contained experimental support for PostgreSQL.
+In Bugzilla 2.22, PostgreSQL support is fully complete and stable. Using
+PostgreSQL with Bugzilla should be as stable as using MySQL, and if
+you experience any problems they will be taken as seriously as if you
+were running MySQL.
+
+There are no known remaining major problems with Bugzilla on PostgreSQL.
+All features of Bugzilla have been tested and work.
+
+
+Parameters In Sections
+----------------------
+Long-time users of Bugzilla know that over time the parameter list has
+grown quite large. It has now been split into sections to make it easier
+to use.
+
+
+One Codebase, Multiple Databases
+--------------------------------
+There is now limited support for having multiple projects use the
+same Bugzilla codebase, but all have separate databases.
+
+The different projects can have their own templates and their own
+bug database, but all use the same set of Bugzilla code in the same
+directory.
+
+To enable this, set an environment variable called PROJECT when
+calling the Bugzilla CGIs. Then for each project, you can have
+a localconfig.PROJECT (where "PROJECT" is the value of the PROJECT
+environment variable) file for the database parameters, and a
+template/en/PROJECT directory (where "PROJECT" is the value of the
+PROJECT environment variable)
+
+This feature isn't documented yet, but we hope to have documentation for
+it soon.
+
+
+UTF-8 For New Installations
+---------------------------
+If this is the first time you're installing Bugzilla, it will now use
+UTF-8 encoding for all pages, automatically. It will also send emails
+in UTF-8. This eliminates most of the internationalization problems
+users have experienced, as one Bugzilla page may now contain any number
+of languages simultaneously.
+
+If you are upgrading and you want to use UTF-8, just turn on the "utf8"
+Parameter. However, realize that if you have non-UTF-8 data in your
+Bugzilla, it will appear unreadable. (If you just have ASCII in your
+database, you're safe to turn on the "utf8" parameter, definitely.)
+
+
+Admins Can Impersonate Users
+----------------------------
+User impersonation (think of the su/sudo command on Unix) allows you
+to view pages and perform actions as if you are logged in as someone else,
+without having to know their password.
+
+A user in the new "bz_sudoers" group has the option of "becoming"
+any user in Bugzilla. Once they "become" that user, they *are* that user
+for the rest of the session, until they decide to switch back to being
+themselves.
+
+However, they cannot "become" any user in the "bz_sudo_protect" group.
+This group includes everybody in the "admin" and "bz_sudoers" groups by
+default.
+
+Any time a user is impersonated, they will get an email notifying them
+who has impersonated them.
+
+
+Bug Import and Moving Improvements
+----------------------------------
+The XML Import script, importxml.pl, has been completely re-written.
+
+It now:
+
+ * Correctly imports the "priority" field
+ * Understands when the "Reporter" or "CC List" security boxes
+ are unchecked on the bug.
+ * Places bugs in the appropriate groups
+ * Allows attachments to be imported
+ * Is much more forgiving about small problems in the XML
+
+
+Adding Individual Bugs to Saved Searches
+----------------------------------------
+Users now have the option of adding an individual bug to any
+particular Saved Search. If you don't like having the entry box in
+your footer for this feature, you can disable it in your Preferences.
+
+
+Attach URLs
+-----------
+Instead of attaching a file, you can now also attach a URL to a bug.
+This will show up just like an attachment on show_bug.cgi, but when
+you click on it, it will take you to the URL.
+
+To enable this, turn on the "allow_attach_url" parameter.
+
+
+Optional "Strict Isolation" for Groups
+--------------------------------------
+If you turn on the "strict_isolation" parameter in Bugzilla, you
+will *not* be able to add any user to the CC field (or set them
+as an Asignee or QA Contact) unless that user could normally see
+the bug. That is, you will no longer be able to "accidentally"
+(or intentionally) give somebody access to a bug that they
+otherwise couldn't see.
+
+
+"editcomponents" Change
+-----------------------
+Previously, all users who had "editcomponents" could see every Product,
+using the editcomponents.cgi script. Now, users with "editcomponents"
+can only see Products that they normally have access to.
+
+This restriction also affects editversions.cgi, editmilestones.cgi and
+editproducts.cgi.
+
+
+"shutdownhtml" Change
+---------------------
+All of Bugzilla is now affected by the "shutdownhtml" parameter,
+including command-line scripts. checksetup.pl is exempt. Many scripts
+(such as collectstats.pl and whine.pl) will just exit silently when
+"shutdownhtml" is turned on.
+
+
+Miscellaneous Improvements
+--------------------------
+
+- Added a frequently-requested user preference for whether or not to go
+ to the next bug in your list after submitting changes to a bug.
+
+- The ability to do relative date searches (like "1d" for "1 day" or "1w"
+ for "1 week") by hour now, in addition to days and other units of time.
+
+- "Alias" added to the New Bug form, for users with editbugs.
+
+- Users can now actually see the descriptions of flags that you enter
+ in editflagtypes.cgi. The description will appear as a tooltip
+ when a user places their mouse over the flag name on show_bug.cgi.
+
+- Bugzilla will optionally convert BMP attachments into PNGs for you.
+ See the "convert_uncompressed_images" in the "Attachments" section
+ of the Parameters.
+
+- You can now edit the Status Whiteboard when you are changing multiple
+ bugs at once.
+
+- The way that groups work in the database has changed, and large-scale
+ Bugzilla use with many concurrent users should be much faster, as a
+ result. (Technical Details: The need for Bugzilla to "derive groups"
+ has gone away pretty much entirely.)
+
+- Performance improvements on searching attachment information that's not
+ the actual content of the attachment (such as searching the Attachment
+ Description or the Attachment MIME Type)
+
+- You can now specify multiple email addresses, comma-separated, when
+ setting the requestee of a flag, and it will set the flag once for each
+ of those email addresses
+
+- "Bug Creation Time" is now searchable in the Boolean Charts.
+
+- When you mark a comment on a bug as private, the background color
+ of the comment will change immediately. However, in order for
+ Bugzilla to register that the comment is now private, you still
+ have to "submit" the changes.
+
+- Emails sent from Bugzilla now have "X-Bugzilla-Keywords" and
+ "X-Bugzilla-Severity" by default, containing the information
+ from the related Bugzilla fields.
+
+- You can now change the assignee and QA contact on multiple bugs at
+ once even when those bugs are in different products.
+
+
+All Changes
+-----------
+
+If you'd like to see all the changes between Bugzilla 2.20 and Bugzilla
+2.22, see:
+
+http://tinyurl.com/9p2tm
+
+
+Deprecated Features
+*******************
+
+- This is the last release of Bugzilla to support perl 5.6.x. All future
+ versions of Bugzilla will require at least perl 5.8.
+
+
+Outstanding Issues
+******************
+
+- bug 305836: PostgreSQL users: do not use DBD::Pg version 1.43 with
+ Bugzilla. It has a bug which can corrupt the database. Version 1.42
+ is fine. Version 1.44 will also be fine, when it is released.
+
+- (No Bug Number) VERY IMPORTANT: If you have customized the values in
+ your Status/Resolution field, you must edit checksetup.pl BEFORE YOU
+ RUN IT. Find the line that starts like this:
+
+ bug_status => ["UNCONFIRMED",
+
+ That's where you set the values for the Status field.
+
+ resolution => ["","FIXED",
+
+ And that's where you set values for the Resolution field.
+
+ Those are both near line 1826 in checksetup.pl.
+
+ If you forget to do this, you will have to manually edit the "bug_status"
+ and "resolution" tables in the database to contain the correct values.
+
+- bug 276230: The support for restricting access to particular Categories of
+ New Charts is not complete. You should treat the 'chartgroup' Param as the
+ only access mechanism available. However, additionally, charts migrated from
+ Old Charts will be restricted to the groups that are marked MANDATORY for
+ the corresponding Product. There is currently no way to change this
+ restriction, and the groupings will not be updated if the group configuration
+ for the Product changes.
+
+- bug 37765: If you use the "sendmail" support of Bugzilla,
+ and you use an MTA which is *not* Sendmail (such as Postfix, Exim, etc.)
+ make sure the "sendmailnow" parameter is ON or Bugzilla will not send
+ e-mail correctly.
+
+- bug 69621: If you rename or remove a keyword that is in use on bugs, you will
+ need to rebuild the "keyword cache" by running sanitycheck.cgi and choosing
+ the option to rebuild the cache when it asks. Otherwise keywords may not show
+ up properly in search results.
+
+- (No Bug Number) If you have a lot of non-ASCII data in your Bugzilla (for
+ example, if you use a translation of Bugzilla), don't enable the XS::Stash
+ option when you install the Template Toolkit, or your Bugzilla installation
+ may become slow. This problem is fixed in a not-yet-released version of the
+ Template Toolkit (after 2.14).
+
+- Bug 99215: Flags are not protected by "mid-air collision" detection.
+ Nor are any attachment changes.
+
+- Bug 89822: When changing multiple bugs at the same time, there is no
+ "mid-air collision" protection.
+
+- bug 322955: The email interface (bug_mail.pl) in the contrib/ directory
+ has not been maintained (as it has no maintainer), and does not work
+ properly. We hope to have this fixed in our next major release of
+ Bugzilla; however, any help or contributions in this area are very
+ welcome.
+
+
+How to Upgrade From An Older Bugzilla
+*************************************
+
+NOTE: Upgrading from a large installation (over 10,000 bugs) running 2.18
+ or before may take a significant amount of time. checksetup will
+ try to let you know how long it will take, but expect downtime
+ of an hour or more if you have many bugs, many attachments,
+ or many users.
+
+Steps for Upgrading
+-------------------
+
+1) Read these entire Release Notes, particularly the "Outstanding Issues"
+ and "Security Fixes" sections.
+
+2) View the Sanity Check (sanitycheck.cgi) page on your installation before
+ upgrading. Attempt to fix all warnings that the page produces before
+ you go any further, or you may experience problems during your upgrade.
+
+3) Make a backup of the Bugzilla database before you upgrade, perhaps
+ by using mysqldump. THIS IS VERY IMPORTANT. If anything goes wrong
+ during the upgrade, your installation can be corrupted beyond
+ recovery. Having a backup keeps you safe.
+
+ Example:
+
+ mysqldump -u root -p bugs > bugs-db.sql
+
+4) Replace the files in your installation with the new version of Bugzilla,
+ or you can try to use CVS to upgrade. The bugzilla.org website has
+ instructions on how to do the actual installation.
+
+ You can also use a brand-new Bugzilla directory, as long as you
+ copy over the old data/ directory and the "localconfig" file to the
+ new installation.
+
+5) Run checksetup.pl after you install the new version.
+
+7) View the Sanity Check page again after you run checksetup.pl.
+
+8) It is recommended that, if possible, you fix any problems you find
+ immediately. Failure to do this may mean that Bugzilla will not work
+ correctly. Be aware that if the sanity check page contains more errors after
+ an upgrade, it doesn't necessarily mean there are more errors in your
+ database, as additional tests are added to the sanity check over time, and
+ it is possible that those errors weren't being checked for in the old
+ version.
+
+9) This version of Bugzilla contains improvements to the email that
+ Bugzilla sends when a bug is changed. The template for that email
+ is contained in the "newchangedmail" parameter. If you would like
+ to take advantage of the email enhancements in this version of
+ Bugzilla, reset that parameter to its default. (You can customize
+ it after that again, if you want.)
+
+
+Code Changes Which May Affect Customizations
+********************************************
+
+CGI.pl is Gone
+--------------
+The CGI.pl file, which used to contain many global functions, and which
+also contained initialization code for every CGI, is gone. The functions
+have been moved to various places and sometimes renamed.
+
+The initialization code that used to happen inside CGI.pl is now inside
+of Bugzilla.pm. All CGIs must "use Bugzilla" in one way or another. (Some
+CGIs "use Bugzilla" by doing "require globals.pl".)
+
+
+Deriving Groups No Longer Happens
+---------------------------------
+Bugzilla no longer needs to "derive groups" in advance. That is, previously
+Bugzilla used to flatten the group heirarchy into the user_group_map
+table. (That is, show that a user was in every group they were in,
+even if they were only in that group because they belonged to *another*
+group.) Now the table only contains groups that the user is in directly,
+and groups that they are in because of a regexp.
+
+Instead, The Bugzilla::User->group function determines the groups a user
+is in when called.
+
+We did this because the group derivation was causing a lot of complexity
+in the code, and also deriving the groups was a slow process that
+frequently had to happen inside of a database lock while sending mail
+or viewing a bug list.
+
+See https://bugzilla.mozilla.org/show_bug.cgi?id=304583 for details.
+
+
+Other Changes
+-------------
+
+- The move.pl script's functionality has been merged into process_bug.cgi.
+
+- $::template and $::vars are gone from globals.pl. Instead of $::template,
+ use Bugzilla->template. Every script creates the $vars variable by itself
+ instead of using a global $::vars variable.
+
+- $::userid is gone. Instead use Bugzilla->user->id.
+
+- QuickSearch is now in perl instead of in JavaScript. The code is in
+ Bugzilla/Search/QuickSearch.pm. This makes it much easier to customize,
+ and it also fixes some long-standing issues that QuickSearch had.
+
+- Attachment data is now in the attach_data table. Other information
+ about attachments is still in the "attachments" table.
+
+- Much like the 2.20 release, many functions have been removed from
+ globals.pl and CGI.pl. They were moved elsewhere and renamed.
+ Search RESOLVED bugs in bugzilla.mozilla.org for the old
+ version of the function name, and that will usually show you
+ the bug where we moved the function, allowing you to find out
+ what the new name and location is.
+
+- We expect this to be the last release that contains the deprecated
+ SendSQL, SqlQuote, FetchSqlData, MoreSqlData, and FetchOneColumn
+ functions. Instead, you should use DBI functions. For a very brief
+ example, see:
+
+ http://www.bugzilla.org/docs/developer.html#sql-sendreceive
+
+
+Security Fixes in 2.22 Releases
+*******************************
+
+A long-standing, well-known security issue is finally resolved in Bugzilla
+2.22: Previously, the "Session ID" of each user could be easily guessed,
+given enough time. This could have allowed an attacker to take over a
+user's account, in certain circumstances. Now, the "Session ID" is totally
+random, resolving this issue. See bug 119524 in bugzilla.mozilla.org for
+details.
+
+If you are very concerned about the security of your Bugzilla installation,
+it would be a very good idea to run the following command on your
+database immediately after upgrading:
+
+TRUNCATE TABLE logincookies;
+
+This is actually safe to do at any time--it just forces a logout of
+every single user, even those with saved sessions. (It invalidates
+every login cookie Bugzilla has ever given out.)
+
+
+Release Notes For Previous Versions
+************************************
+
***************************************
*** The Bugzilla 2.20 Release Notes ***
***************************************
projects / thirdparty / bugzilla.git / commitdiff
