P Richards | 30 Oct 16:57 2014

FW: Hi All - A change of direction for me.

Robert, Damien, 

Before I send anything to the list regarding fork (which may be over weekend),  I'm sending you two privately
the some of the security patches that I have for 1.2.18

001: I deem to be minor - it's a 'safety' catch for if someone accidently configures a server incorrectly - in
reality, unlikely to ever be an issue as mantis isn't userable in the state needed to trigger this.

002 - not a security fix as a such, but seemed to fix javascript errors that were making it hard to identify 3

003 - Fixes XSS issue in the extended browser - this only needs to be back ported to 1.2 as the code has gone from master

004 - Fixes a SQL injection issue in the SOAP api - I've emailed
cve-assign@... asking  for them to reserve a CVE for this (And
also emailed them asking them to reserve a CVE for the other issues we've got patches in progress for. I've
not yet emailed cve-assign for the 01 or 03 above. I'm wondering for both whether it's necessarily to
bother - in the first case (001), I don’t think you'd even be able to use mantis properly in the state
needed to hit this issue, and in the 2nd case (003) , given you'd need the extended project browser to be on,
and be able to set a project name - the first of which I've never seen anyone use...

Once I get a reply with CVE number, I'll forward it to you two again so a complete set of patches can be properly
co-ordinated, and we can make sure nothing is missing. And then I'll reply publically to your list-mail
rombert about names (don't worry, I've not picked something that will breed confusion), and further details.

Paul

-----Original Message-----
From: Robert Munteanu [mailto:robert.munteanu@...] 
Sent: 21 October 2014 12:06
To: developer discussions
(Continue reading)

Robert Munteanu | 25 Oct 11:24 2014
Picon

Simplify Target Version/Fixed in Version management for 1.3

Hi,

I was thinking that having two different version fields ( target
version and fixed in version ) in a bug can be confusing for some
users. I understand that there are some advanced use cases, but IMO we
should also optimize for the simple workflow, where fix version should
be the same as the target version.

For that I suggest the following enhancement for 1.3:

When modifying a bug such that
- status >= bug_resolved_status_threshold
- resolution >= bug_resolution_fixed_threshold
- target_version exists
- fixed_in_version is empty

Then automatically set the fixed_in_version to be equal to the target_version.

Thoughts?

Robert

--

-- 
http://robert.muntea.nu/

------------------------------------------------------------------------------
P Richards | 20 Oct 23:24 2014

Hi All - A change of direction for me.

Hi All,

 

Just to let you know that I’m going to embark on a new project – “Mantis Issue Tracker”. This will be a fork from the Mantis Bug Tracker project with a goal for being used for a helpdesk focus – this is the environment I currently work in.

 

After 10 years spent working on Mantis Bug Tracker, it has become clear that Victor’s planned direction with moving towards a hosted MantisHub and trying to make a financial return out of Mantis is not aligned with the goal’s that I set myself for involvement with an open source project. I’d like to wish him success with those aims.

 

Myself, I’m keen to ensure that in todays hosted world with cloud services etc, that it’s possible to run a freely available issue tracker for all.

 

I’ll post more details in a few days.

 

I still plan to continue to follow the project and submit any pull requests, but I need to align my coding time with the needs for which I use Mantis – which is as an issue checker in a MSSQL shop.

 

In the meantime, please let me know as soon as damien has fixed his email address, as it’s still broken and it would be good to do a joint security release.

 

Paul

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
P Richards | 20 Oct 20:43 2014

19:30 Status update

ERROR: Permission to mantisbt/mantisbt.git denied to grangeway.

fatal: Could not read from remote repository.

 

Please make sure you have the correct access rights

and the repository exists.

 

And still unable to email dregad-yNRIyJjUR0xg9hUCZPvPmw@public.gmane.org

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
P Richards | 20 Oct 19:27 2014

.

ERROR: Permission to mantisbt/mantisbt.git denied to grangeway.

fatal: Could not read from remote repository.

 

Please make sure you have the correct access rights

and the repository exists.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
Paul Richards | 20 Oct 08:38 2014

Fwd: FW: [mantisbt] Simplify timezone configuration within Mantis (#387)

---------- Forwarded message ----------
Date: Mon, Oct 20, 2014 at 12:35 AM
Subject: FW: [mantisbt] Simplify timezone configuration within Mantis (#387)
To: developer discussions <mantisbt-dev-5NWGOfrQmnd4wTydcyPnfg@public.gmane.orgceforge.net>


Victor, that's just silly.

 

If you look at the pull request, my point before was that our date handling is over complicated.

 

On the initial PR that you raised, https://github.com/mantisbt/mantisbt/pull/380

 

Atrol/Rombert said +1 to your PR aka #380

I said "definitely a -1 to this, but before I go into details, are you hitting it on Centos/RHEL"

Damien also said -1, and then also said he’d do a PR.

 

Hence there are now 2 PR’s following up your initial work.

 

In the case of damien’s request, as I say I believe it overcomplicates our handling of date times and that we should look at simplifying the functionality.

 

If you actually spent the time to look, you may see my point.

 

Anyway, Given that I’ve got a -1 to Damien’s pull request and you’ve now given a -1 to my pull request, and both myself and damien gave a -1 to your pull request, we have now hit a situation where to move forward, I’d like to request a mailing list discussion on both Pull requests, as it seems we are not going to get agreement via Github.

 

It’s 12:30AM now so don’t have time now, I will write up arguments for and against the PR’s tomorrow, and then we can discuss, and if need be have a vote at the end.

 

Hopefully Damien will be more mature then yourself, and actually take the time to look and consider what we are actually trying to do.

 

Thanks

Paul

 

 

From: Victor Boctor [mailto:notifications-9UaJU3cA/F/QT0dZR+AlfA@public.gmane.org]

Sent: 20 October 2014 00:07
To: mantisbt/mantisbt
Cc: grangeway
Subject: Re: [mantisbt] Simplify timezone configuration within Mantis (#387)

 

-1 - I'm not even going to review this. We don't need 3 pull requests for a fix. If you have feedback give it to Damien who spent the time to write a thorough fix. There are two options here:

  • Give him the feedback that he can incorporate.
  • If you want to go further than he has the bandwidth to do as part of his checkin, then do follow up pull requests after his work is checked in.


Reply to this email directly or view it on GitHub.



------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
P Richards | 20 Oct 00:53 2014

1.3-Dev Users: Crypto_master_salt

If anyone’s running 1.3-dev on a ‘production box’, you might want to read the following:

 

Following Roland’s suggestion to victor to think about what config_is_private is “good for” [https://github.com/mantisbt/mantisbt/pull/386#issuecomment-59629700 ], and following reviewing our use of global-only config’s  - the next logical step was to review config_is_private:

 

I’ve put in a Pull Request following that (https://github.com/mantisbt/mantisbt/pull/509/files )

 

One of the changes in that pull request is as follows:

 

-                              case 'master_crypto_salt':

+                             case 'crypto_master_salt':

 

Within config.api, config_is_private function

 

If you are running a version of 1.3 as a “production” instance somewhere, I’d like to suggest you change your master salt and apply the patch in this Pull Request.

 

Paul

 

 

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
P Richards | 19 Oct 18:20 2014

Github notifications

Apologies if anyone got some github notifications this morning – atrol got a few and gave me a poke so I was able to stop script that was generating them.

 

I’ve got a simple script that I basically use to automate some merging and testing

In essence, I was feeding in a batch of updates to update sql format for the db layer for 2.x to keep it up to date, and trying to do a local build to test.

 

Usually this works quite well, and I’ve used it multiple times before – it basically takes a change, pushes it into a new local branch, runs a build and then tidies up at end if all builds pass, or leaves files if they don’t. This was working its way through ~500 changes:


Anyway,

What happened here is

I had a pending change for master in my local master (https://github.com/mantisbt/mantisbt/pull/378 ) for pushing.

 

So instead of pushing locally, it pushed for a new remote PR (hence as atrol spotted, the reason for 2 commits in the branch)

 

On the bright side, if atrol hadn’t have spotted it, there were a considerable number more branches that would have been generated.

 

Paul

 

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
P Richards | 19 Oct 01:29 2014

.

I like your maturity.

 

First you revert a commit that has been in a PR with no feedback for 7 days, without talking to me.

Then you remove access.

 

Paul

 

$ git push

 

 

ERROR: Permission to mantisbt/mantisbt.git denied to grangeway.

fatal: Could not read from remote repository.

 

Please make sure you have the correct access rights

and the repository exists.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
Damien Regad | 19 Oct 00:23 2014

1.2.18 release

Paul,

As you know we have several open security issues including some fairly 
critical ones. I have fixes ready to go for the most recent ones, and to 
close the loop I want to release 1.2.18 as soon as possible.

*I remind you that you owe us a series of security fixes since May*, and 
you agreed earlier this week on IRC [1] to send them to me via e-mail by 
Friday.

It is now late Saturday (early Sunday actually), and I still haven't 
received anything from you. To be blunt:

YOU ARE BLOCKING A SECURITY RELEASE

This is really unprofressional. Please act responsibly, and put on hold 
some of the trivialities you've been working on for the past few 
weeks/months for the few minutes it will take to send me patches. And 
please don't give me any of that shit again about your SSH access.

Damien

[1] 
http://www.mantisbt.org/irclogs/mantisbt/2014/mantisbt.2014-10-15.log.html

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Louis BAYLE | 18 Oct 23:43 2014
Picon

Mantis not working behind a reverse-proxy

Is there a 'good patch' to fix this realy problematic bug in Mantis ?

The patch I applied to our installation does not work very well.
IMHO this is realy a critical bug.
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev@...
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev

Gmane