1.1.1. GNU Free Documentation License

Version 1.1, March 2000

3.1.1. Create a Bugzilla Account

If you want to use Bugzilla, first you need to create an account. Consult with the administrator responsible for your installation of Bugzilla for the URL you should use to access it. If you're test-driving Bugzilla, use this URL: http://landfill.bugzilla.org/bugzilla-tip/

1. Click the "Open a new Bugzilla account" link, enter your email address and, optionally, your name in the spaces provided, then click "Create Account" .

2. Within moments, you should receive an email to the address you provided above, which contains your login name (generally the same as the email address), and a password you can use to access your account. This password is randomly generated, and can be changed to something more memorable.

3. Click the "Log In" link in the yellow area at the bottom of the page in your browser, enter your email address and password into the spaces provided, and click "Login".

You are now logged in. Bugzilla uses cookies for authentication so, unless your IP address changes, you should not have to log in again.

3.1.2. Anatomy of a Bug

The core of Bugzilla is the screen which displays a particular bug. It's a good place to explain some Bugzilla concepts. Bug 1 on Landfill is a good example. Note that the labels for most fields are hyperlinks; clicking them will take you to context-sensitive help on that particular field. Fields marked * may not be present on every installation of Bugzilla.

1. Product and Component: Bugs are divided up by Product and Component, with a Product having one or more Components in it. For example, bugzilla.mozilla.org's "Bugzilla" Product is composed of several Components:

   Administration: Administration of a Bugzilla installation.

   Bugzilla-General: Anything that doesn't fit in the other components, or spans multiple components.

   Creating/Changing Bugs: Creating, changing, and viewing bugs.

   Documentation: The Bugzilla documentation, including The Bugzilla Guide.

   Email: Anything to do with email sent by Bugzilla.

   Installation: The installation process of Bugzilla.

   Query/Buglist: Anything to do with searching for bugs and viewing the buglists.

   Reporting/Charting: Getting reports from Bugzilla.

   User Accounts: Anything about managing a user account from the user's perspective. Saved queries, creating accounts, changing passwords, logging in, etc.

   User Interface: General issues having to do with the user interface cosmetics (not functionality) including cosmetic issues, HTML templates, etc.

2. Status and Resolution: These define exactly what state the bug is in - from not even being confirmed as a bug, through to being fixed and the fix confirmed by Quality Assurance. The different possible values for Status and Resolution on your installation should be documented in the context-sensitive help for those items.

3. Assigned To: The person responsible for fixing the bug.

4. *URL: A URL associated with the bug, if any.

5. Summary: A one-sentence summary of the problem.

6. *Status Whiteboard: (a.k.a. Whiteboard) A free-form text area for adding short notes and tags to a bug.

7. *Keywords: The administrator can define keywords which you can use to tag and categorise bugs - e.g. The Mozilla Project has keywords like crash and regression.

8. Platform and OS: These indicate the computing environment where the bug was found.

9. Version: The "Version" field is usually used for versions of a product which have been released, and is set to indicate which versions of a Component have the particular problem the bug report is about.

10. Priority: The bug assignee uses this field to prioritise his or her bugs. It's a good idea not to change this on other people's bugs.

11. Severity: This indicates how severe the problem is - from blocker ("application unusable") to trivial ("minor cosmetic issue"). You can also use this field to indicate whether a bug is an enhancement request.

12. *Target: (a.k.a. Target Milestone) A future version by which the bug is to be fixed. e.g. The Bugzilla Project's milestones for future Bugzilla versions are 2.18, 2.20, 3.0, etc. Milestones are not restricted to numbers, thought - you can use any text strings, such as dates.

13. Reporter: The person who filed the bug.

14. CC list: A list of people who get mail when the bug changes.

15. Attachments: You can attach files (e.g. testcases or patches) to bugs. If there are any attachments, they are listed in this section.

16. *Dependencies: If this bug cannot be fixed unless other bugs are fixed (depends on), or this bug stops other bugs being fixed (blocks), their numbers are recorded here.

17. *Votes: Whether this bug has any votes.

18. Additional Comments: You can add your two cents to the bug discussion here, if you have something worthwhile to say.

3.1.3. Searching for Bugs

The Bugzilla Search page is is the interface where you can find any bug report, comment, or patch currently in the Bugzilla system. You can play with it here: landfill.bugzilla.org/bugzilla-tip/query.cgi .

The Search page has controls for selecting different possible values for all of the fields in a bug, as described above. Once you've defined a search, you can either run it, or save it as a Remembered Query, which can optionally appear in the footer of your pages.

Highly advanced querying is done using Boolean Charts, which have their own context-sensitive help .

3.1.4. Bug Lists

If you run a search, a list of matching bugs will be returned. The default search is to return all open bugs on the system - don't try running this search on a Bugzilla installation with a lot of bugs!

The format of the list is configurable. For example, it can be sorted by clicking the column headings. Other useful features can be accessed using the links at the bottom of the list:

3.1.5. Filing Bugs

Years of bug writing experience has been distilled for your reading pleasure into the Bug Writing Guidelines. While some of the advice is Mozilla-specific, the basic principles of reporting Reproducible, Specific bugs, isolating the Product you are using, the Version of the Product, the Component which failed, the Hardware Platform, and Operating System you were using at the time of the failure go a long way toward ensuring accurate, responsible fixes for the bug that bit you.

The procedure for filing a test bug is as follows:

1. Go to Landfill in your browser and click Enter a new bug report.

2. Select a product - any one will do.

3. Fill in the fields. Bugzilla should have made reasonable guesses, based upon your browser, for the "Platform" and "OS" drop-down boxes. If they are wrong, change them.

4. Select "Commit" and send in your bug report.

3.2.1. Autolinkification

Bugzilla comments are plain text - so posting HTML will result in literal HTML tags rather than being interpreted by a browser. However, Bugzilla will automatically make hyperlinks out of certain sorts of text in comments. For example, the text http://www.bugzilla.org will be turned into http://www.bugzilla.org. Other strings which get linkified in the obvious manner are:

A corollary here is that if you type a bug number in a comment, you should put the word "bug" before it, so it gets autolinkified for the convenience of others.

3.2.2. Quicksearch

Quicksearch is a single-text-box query tool which uses metacharacters to indicate what is to be searched. For example, typing "foo|bar" into Quicksearch would search for "foo" or "bar" in the summary and status whiteboard of a bug; adding ":BazProduct" would search only in that product.

You'll find the Quicksearch box on Bugzilla's front page, along with a Help link which details how to use it.

3.2.3. Comments

If you are changing the fields on a bug, only comment if either you have something pertinent to say, or Bugzilla requires it. Otherwise, you may spam people unnecessarily with bug mail. To take an example: a user can set up their account to filter out messages where someone just adds themselves to the CC field of a bug (which happens a lot.) If you come along, add yourself to the CC field, and add a comment saying "Adding self to CC", then that person gets a pointless piece of mail they would otherwise have avoided.

Don't use sigs in comments. Signing your name ("Bill") is acceptable, particularly if you do it out of habit, but full mail/news-style four line ASCII art creations are not.

3.2.4. Attachments

Use attachments, rather than comments, for large chunks of ASCII data, such as trace, debugging output files, or log files. That way, it doesn't bloat the bug for everyone who wants to read it, and cause people to receive fat, useless mails.

Trim screenshots. There's no need to show the whole screen if you are pointing out a single-pixel problem.

Don't attach simple test cases (e.g. one HTML file, one CSS file and an image) as a ZIP file. Instead, upload them in reverse order and edit the referring file so that they point to the attached files. This way, the test case works immediately out of the bug.

3.2.5. Filing Bugs

Try to make sure that everything said in the summary is also said in the first comment. Summaries are often updated and this will ensure your original information is easily accessible.

You do not need to put "any" or similar strings in the URL field. If there is no specific URL associated with the bug, leave this field blank.

If you feel a bug you filed was incorrectly marked as a DUPLICATE of another, please question it in your bug, not the bug it was duped to. Feel free to CC the person who duped it if they are not already CCed.

3.3.1. Account Settings

On this tab, you can change your basic account information, including your password, email address and real name. For security reasons, in order to change anything on this page you must type your current password into the "Password" field at the top of the page. If you attempt to change your email address, a confirmation email is sent to both the old and new addresses, with a link to use to confirm the change. This helps to prevent account hijacking.

3.3.2. Email Settings

On this tab you can reduce or increase the amount of email sent you from Bugzilla, opting in our out depending on your relationship to the bug and the change that was made to it. (Note that you can also do client-side filtering using the X-Bugzilla-Reason header which Bugzilla adds to all bugmail.)

By entering user email names, delineated by commas, into the "Users to watch" text entry box you can receive a copy of all the bugmail of other users (security settings permitting.) This powerful functionality enables seamless transitions as developers change projects or users go on holiday.

The ability to watch other users may not be available in all Bugzilla installations. If you can't see it, ask your administrator.

3.3.3. Page Footer

On the Search page, you can store queries in Bugzilla, so if you regularly run a particular query it is just a drop-down menu away. Once you have a stored query, you can come here to request that it also be displayed in your page footer.

3.3.4. Permissions

This is a purely informative page which outlines your current permissions on this installation of Bugzilla - what product groups you are in, and whether you can edit bugs or perform various administration functions.

4.1.1. Introduction

Bugzilla has been successfully installed under Solaris, Linux, and Win32. Win32 is not yet officially supported, but many people have got it working fine. Please see the Win32 Installation Notes for further advice on getting Bugzilla to work on Microsoft Windows.

4.1.2. Package List

If you are running the very most recent version of Perl and MySQL (both the executables and development libraries) on your system, you can skip these manual installation steps for the Perl modules by using Bundle::Bugzilla; see Using Bundle::Bugzilla instead of manually installing Perl modules.

The software packages necessary for the proper running of Bugzilla (with download links) are:

1. MySQL database server (3.22.5 or greater)

2. Perl (5.005 or greater, 5.6.1 is recommended if you wish to use Bundle::Bugzilla)

3. Perl Modules (minimum version):

   1. Template (v2.07)

   2. AppConfig (v1.52)

   3. Text::Wrap (v2001.0131)

   4. File::Spec (v0.8.2)

   5. Data::Dumper (any)

   6. DBD::mysql (v1.2209)

   7. DBI (v1.13)

   8. Date::Parse (any)

   9. CGI::Carp (any)

   and, optionally:

   1. GD (v1.19) for bug charting

   2. Chart::Base (v0.99c) for bug charting

   3. XML::Parser (any) for the XML interface

   4. MIME::Parser (any) for the email interface

4. The web server of your choice. Apache is highly recommended.

It is a good idea, while installing Bugzilla, to ensure that there is some kind of firewall between you and the rest of the Internet, because your machine may be insecure for periods during the install. Many installation steps require an active Internet connection to complete, but you must take care to ensure that at no point is your machine vulnerable to an attack.

Linux-Mandrake 8.0 includes every required and optional library for Bugzilla. The easiest way to install them is by using the urpmi utility. If you follow these commands, you should have everything you need for Bugzilla, and checksetup.pl should not complain about any missing libraries. You may already have some of these installed. bash# urpmi perl-mysql bash# urpmi perl-chart bash# urpmi perl-gd bash# urpmi perl-MailTools (for Bugzilla email integration) bash# urpmi apache-modules

4.1.3. MySQL

Visit the MySQL homepage at www.mysql.com to grab and install the latest stable release of the server.

Many of the binary versions of MySQL store their data files in /var. On some Unix systems, this is part of a smaller root partition, and may not have room for your bug database. You can set the data directory as an option to configure if you build MySQL from source yourself.

If you install from something other than an RPM or Debian package, you will need to add mysqld to your init scripts so the server daemon will come back up whenever your machine reboots. Further discussion of UNIX init sequences are beyond the scope of this guide.

Change your init script to start mysqld with the ability to accept large packets. By default, mysqld only accepts packets up to 64K long. This limits the size of attachments you may put on bugs. If you add -O max_allowed_packet=1M to the command that starts mysqld (or safe_mysqld), then you will be able to have attachments up to about 1 megabyte. There is a Bugzilla parameter for maximum attachment size; you should configure it to match the value you choose here.

If you plan on running Bugzilla and MySQL on the same machine, consider using the --skip-networking option in the init script. This enhances security by preventing network access to MySQL.

4.1.4. Perl

Any machine that doesn't have Perl on it is a sad machine indeed. Perl can be got in source form from perl.com for the rare *nix systems which don't have it. Although Bugzilla runs with all post-5.005 versions of Perl, it's a good idea to be up to the very latest version if you can when running Bugzilla. As of this writing, that is Perl version 5.6.1.

You can skip the following Perl module installation steps by installing Bundle::Bugzilla from CPAN, which installs all required modules for you. bash# perl -MCPAN -e 'install "Bundle::Bugzilla"' Bundle::Bugzilla doesn't include GD, Chart::Base, or MIME::Parser, which are not essential to a basic Bugzilla install. If installing this bundle fails, you should install each module individually to isolate the problem.

4.1.5. Perl Modules

All Perl modules can be found on the Comprehensive Perl Archive Network (CPAN). The CPAN servers have a real tendency to bog down, so please use mirrors.

Quality, general Perl module installation instructions can be found on the CPAN website, but the easy thing to do is to just use the CPAN shell which does all the hard work for you. To use the CPAN shell to install a module:

bash# perl -MCPAN -e 'install "<modulename>"'

To do it the hard way:

Untar the module tarball -- it should create its own directory

CD to the directory just created, and enter the following commands:

1. bash# perl Makefile.PL

2. bash# make

3. bash# make test

4. bash# make install

Many people complain that Perl modules will not install for them. Most times, the error messages complain that they are missing a file in "@INC". Virtually every time, this error is due to permissions being set too restrictively for you to compile Perl modules or not having the necessary Perl development libraries installed on your system. Consult your local UNIX systems administrator for help solving these permissions issues; if you are the local UNIX sysadmin, please consult the newsgroup/mailing list for further assistance or hire someone to help you out.

---

4.1.5.5. GD (optional)

The GD library was written by Thomas Boutell a long while ago to programatically generate images in C. Since then it's become the defacto standard for programatic image construction. The Perl bindings to it found in the GD library are used on millions of web pages to generate graphs on the fly. That's what Bugzilla will be using it for so you must install it if you want any of the graphing to work.

The Perl GD library requires some other libraries that may or may not be installed on your system, including libpng and libgd. The full requirements are listed in the Perl GD library README. If compiling GD fails, it's probably because you're missing a required library.

4.1.6. HTTP Server

You have a freedom of choice here - Apache, Netscape or any other server on UNIX would do. You can run the web server on a different machine than MySQL, but need to adjust the MySQL "bugs" user permissions accordingly.

We strongly recommend Apache as the web server to use. The Bugzilla Guide installation instructions, in general, assume you are using Apache. If you have got Bugzilla working using another webserver, please share your experiences with us.

You'll want to make sure that your web server will run any file with the .cgi extension as a CGI and not just display it. If you're using Apache that means uncommenting the following line in the httpd.conf file:

AddHandler cgi-script .cgi

With Apache you'll also want to make sure that within the httpd.conf file the line:

Options ExecCGI AllowOverride Limit

is in the stanza that covers the directories into which you intend to put the bugzilla .html and .cgi files.

AllowOverride Limit allows the use of a Deny statement in the .htaccess file generated by checksetup.pl Users of older versions of Apache may find the above lines in the srm.conf and access.conf files, respecitvely.

There are important files and directories that should not be a served by the HTTP server - most files in the "data" and "shadow" directories and the "localconfig" file. You should configure your HTTP server to not serve these files. Failure to do so will expose critical passwords and other data. Please see .htaccess files and security for details on how to do this for Apache; the checksetup.pl script should create appropriate .htaccess files for you.

4.1.7. Bugzilla

You should untar the Bugzilla files into a directory that you're willing to make writable by the default web server user (probably "nobody"). You may decide to put the files in the main web space for your web server or perhaps in /usr/local with a symbolic link in the web space that points to the Bugzilla directory.

If you symlink the bugzilla directory into your Apache's HTML heirarchy, you may receive Forbidden errors unless you add the "FollowSymLinks" directive to the <Directory> entry for the HTML root in httpd.conf.

Once all the files are in a web accessible directory, make that directory writable by your webserver's user. This is a temporary step until you run the post-install checksetup.pl script, which locks down your installation.

Lastly, you'll need to set up a symbolic link to /usr/bonsaitools/bin/perl for the correct location of your Perl executable (probably /usr/bin/perl). Otherwise you must hack all the .cgi files to change where they look for Perl. This can be done using the following Perl one-liner, but I suggest using the symlink approach to avoid upgrade hassles.

perl -pi -e 's@#\!/usr/bonsaitools/bin/perl@#\!/usr/bin/perl@' *cgi *pl Bug.pm processmail syncshadowdb

Change /usr/bin/perl to match the location of Perl on your machine.

4.1.8. Setting Up the MySQL Database

After you've gotten all the software installed and working you're ready to start preparing the database for its life as the back end to a high quality bug tracker.

First, you'll want to fix MySQL permissions to allow access from Bugzilla. For the purpose of this Installation section, the Bugzilla username will be "bugs", and will have minimal permissions.

Begin by giving the MySQL root user a password. MySQL passwords are limited to 16 characters.

4.1.9. checksetup.pl

Next, run the magic checksetup.pl script. (Many thanks to Holger Schurig for writing this script!) This script is designed to make sure your MySQL database and other configuration options are consistent with the Bugzilla CGI files. It will make sure Bugzilla files and directories have reasonable permissions, set up the data directory, and create all the MySQL tables.

This file contains a variety of settings you may need to tweak including how Bugzilla should connect to the MySQL database.

The connection settings include:

1. server's host: just use "localhost" if the MySQL server is local

2. database name: "bugs" if you're following these directions

3. MySQL username: "bugs" if you're following these directions

4. Password for the "bugs" MySQL account; (<bugs_password>) above

Once you are happy with the settings, su to the user your web server runs as, and re-run checksetup.pl. (Note: on some security-conscious systems, you may need to change the login shell for the webserver account before you can do this.) On this second run, it will create the database and an administrator account for which you will be prompted to provide information.

The checksetup.pl script is designed so that you can run it at any time without causing harm. You should run it after any upgrade to Bugzilla.

4.1.10. Securing MySQL

If you followed the installation instructions for setting up your "bugs" and "root" user in MySQL, much of this should not apply to you. If you are upgrading an existing installation of Bugzilla, you should pay close attention to this section.

Most MySQL installs have "interesting" default security parameters:

4.1.11. Configuring Bugzilla

You should run through the parameters on the Edit Parameters page (link in the footer) and set them all to appropriate values. They key parameters are documented in Section 5.1.

4.2.1. Dependency Charts

As well as the text-based dependency graphs, Bugzilla also supports dependency graphing, using a package called 'dot'. Exactly how this works is controlled by the 'webdotbase' parameter, which can have one of three values:

1. A complete file path to the command 'dot' (part of GraphViz) will generate the graphs locally

2. A URL prefix pointing to an installation of the webdot package will generate the graphs remotely

3. A blank value will disable dependency graphing.

So, to get this working, install GraphViz. If you do that, you need to enable server-side image maps in Apache. Alternatively, you could set up a webdot server, or use the AT&T public webdot server (the default for the webdotbase param). Note that AT&T's server won't work if Bugzilla is only accessible using HTTPS.

4.2.2. Bug Graphs

As long as you installed the GD and Graph::Base Perl modules you might as well turn on the nifty Bugzilla bug reporting graphs.

Add a cron entry like this to run collectstats.pl daily at 5 after midnight:

4.2.3. The Whining Cron

By now you have a fully functional Bugzilla, but what good are bugs if they're not annoying? To help make those bugs more annoying you can set up Bugzilla's automatic whining system to complain at engineers which leave their bugs in the NEW state without triaging them.

This can be done by adding the following command as a daily crontab entry (for help on that see that crontab man page):

Depending on your system, crontab may have several manpages. The following command should lead you to the most useful page for this purpose: man 5 crontab

4.2.4. LDAP Authentication

This information on using the LDAP authentication options with Bugzilla is old, and the authors do not know of anyone who has tested it. Approach with caution.

Using LDAP for Bugzilla authentication requires the Mozilla::LDAP (aka PerLDAP) Perl module. The Mozilla::LDAP module in turn requires Netscape's Directory SDK for C. After you have installed the SDK, then install the PerLDAP module. Mozilla::LDAP and the Directory SDK for C are both available for download from mozilla.org.

Set the Param 'useLDAP' to "On" **only** if you will be using an LDAP directory for authentication. Be very careful when setting up this parameter; if you set LDAP authentication, but do not have a valid LDAP directory set up, you will not be able to log back in to Bugzilla once you log out. (If this happens, you can get back in by manually editing the data/params file, and setting useLDAP back to 0.)

If using LDAP, you must set the three additional parameters: Set LDAPserver to the name (and optionally port) of your LDAP server. If no port is specified, it defaults to the default port of 389. (e.g "ldap.mycompany.com" or "ldap.mycompany.com:1234") Set LDAPBaseDN to the base DN for searching for users in your LDAP directory. (e.g. "ou=People,o=MyCompany") uids must be unique under the DN specified here. Set LDAPmailattribute to the name of the attribute in your LDAP directory which contains the primary email address. On most directory servers available, this is "mail", but you may need to change this.

4.2.5. Preventing untrusted Bugzilla content from executing malicious Javascript code

It is possible for a Bugzilla to execute malicious Javascript code. Due to internationalization concerns, we are unable to incorporate the code changes necessary to fulfill the CERT advisory requirements mentioned in http://www.cet.org/tech_tips/malicious_code_mitigation.html/#3. Executing the following code snippet from a UNIX command shell will rectify the problem if your Bugzilla installation is intended for an English-speaking audience. As always, be sure your Bugzilla installation has a good backup before making changes, and I recommend you understand what the script is doing before executing it.

bash# perl -pi -e "s/Content-Type\: text\/html/Content-Type\: text\/html\; charset=ISO-8859-1/i" *.cgi *.pl

All this one-liner command does is search for all instances of "Content-type: text/html" and replaces it with "Content-Type: text/html; charset=ISO-8859-1" . This specification prevents possible Javascript attacks on the browser, and is suggested for all English-speaking sites. For non-English-speaking Bugzilla sites, I suggest changing "ISO-8859-1", above, to "UTF-8".

Note: using <meta> tags to set the charset is not recommended, as there's a bug in Netscape 4.x which causes pages marked up in this way to load twice.

4.2.6. .htaccess files and security

To enhance the security of your Bugzilla installation, Bugzilla's checksetup.pl script will generate .htaccess files which the Apache webserver can use to restrict access to the bugzilla data files. These .htaccess files will not work with Apache 1.2.x - but this has security holes, so you shouldn't be using it anyway.

If you are using an alternate provider of webdot services for graphing (as described when viewing editparams.cgi in your web browser), you will need to change the ip address in data/webdot/.htaccess to the ip address of the webdot server that you are using.

4.2.7. mod_throttle and Security

It is possible for a user, by mistake or on purpose, to access the database many times in a row which can result in very slow access speeds for other users. If your Bugzilla installation is experiencing this problem , you may install the Apache module mod_throttle which can limit connections by ip-address. You may download this module at http://www.snert.com/Software/Throttle/. Follow the instructions to install into your Apache install. This module only functions with the Apache web server! You may use the ThrottleClientIP command provided by this module to accomplish this goal. See the Module Instructions for more information.

4.3.1. Win32 Installation: Step-by-step

You should be familiar with, and cross-reference, the rest of the Bugzilla Installation section while performing your Win32 installation. Making Bugzilla work on Microsoft Windows is no picnic. Support for Win32 has improved dramatically in the last few releases, but, if you choose to proceed, you should be a very skilled Windows Systems Administrator with strong troubleshooting abilities, a high tolerance for pain, and moderate perl skills. Bugzilla on NT requires hacking source code and implementing some advanced utilities. What follows is the recommended installation procedure for Win32; additional suggestions are provided in Appendix A .