Saturday, 2009-06-27

« Friday, 2009-06-26 Index Sunday, 2009-06-28 »
../irclogs/#mantishelp.2009-06-27.log
--- scribe started ---00:00
mantisbotNew bug: Bug 10631 - j-b-m - open - new00:10
mantisbotNew bug: bug_graph_page.php missing from Graph plugin - http://www.mantisbt.org/bugs/view.php?id=1063100:10
[KK]Kirillsiebrand: lo05:48
[KK]Kirilllook http://github.com/jamespadolsey/prettyPrint.js/tree/master06:50
CIA-18Mantisbt: paul * rab73c5176704 /plugins/MantisGraph/pages/ (3 files): Fix #0010631: bug_graph_page.php missing from Graph plugin11:09
[KK]Kirillhi paul_13:35
paul_lo13:35
[KK]KirillI don't understand, how I missed bug with jpGraph13:36
[KK]Kirill:)13:36
paul_?13:37
[KK]Kirill>  Mantisbt: paul * rab73c5176704 /plugins/MantisGraph/pages/ (3 files): Fix #0010631: bug_graph_page.php missing from Graph plugin13:37
[KK]Kirilland git.mantisforge.org not sync mantisbt.git13:39
dhx_mhi13:41
paul_lo13:43
dhx_myou were asking for me yesterday? :)13:44
paul_yep13:44
paul_you wasn'th ere13:44
dhx_mthat's a surprise :p13:44
dhx_mI'm always here lol13:44
[KK]Kirillpaul_: thnx13:47
paul_dhx_m: need to set up a box running oracle/mssql/postgres/db213:52
dhx_mis oracle free to get?13:53
dhx_mI think there is a free version of mssql at least13:53
paul_http://www.mantisbt.org/bugs/view.php?id=770213:53
paul_http://www.mantisbt.org/bugs/view_all_bug_page.php?filter=325814013:53
dhx_moh we must store a copy of the version in the bug table... rather than a reference to the version number?13:54
dhx_mthis doesn't make sense to me13:54
dhx_mI thought renaming worked ok?13:54
paul_i think we store version name in bug table13:54
dhx_mbecause we stored it as a reference to a version ID?13:54
dhx_mugh13:55
dhx_mwe do :(13:55
paul_maybe update database schema13:56
paul_could be fun!13:56
dhx_myep that is a good one to fix13:56
dhx_mgood find from the archives :)13:56
paul_nah13:56
paul_I look for topics13:56
dhx_mI just marked it as confirmed13:56
dhx_myep I was trying to triage some stuff yesterday13:56
paul_I find it better to13:56
dhx_mfound something like 10 duplicates between 2 bug reports13:56
paul_pick a summary topic13:56
paul_e.g.13:56
paul_csv13:56
paul_or whatever13:57
dhx_myep13:57
dhx_min fact I say don't update the schema...13:57
dhx_mwhat we really need is the ability to target multiple versions13:57
dhx_m1.1.x, 1.2.x and 1.x.x in our case if a new security flaw is found13:58
dhx_malthough one could argue that you should create a ticket for each version?13:58
paul_i'm also wondering13:58
paul_where we have bugs13:58
paul_e.g. 1043513:58
paul_whether we should resolve as 'create a plugin'13:58
dhx_magreed14:00
dhx_mplus the user interface in the screenshot sucks (no offence)14:00
dhx_mI'd like to see Mantis become more modular, so you can simply turn stuff off if you don't want to use it14:01
dhx_mit isn't going to really cause many more maintenance problems that we'd already get14:01
dhx_mbecause there are already parts of Mantis that aren't maintained well14:01
dhx_mfor instance, when was the last time you used the minmap/freemind export thingys?14:02
paul_they are plugins...14:14
dhx_moh heh14:19
dhx_mgood point14:19
dhx_mnuclear_eclipse: good post14:46
paul_?14:46
dhx_mon the mailing list he pointed out http://groups.google.com/group/make-the-web-faster/browse_thread/thread/ddfbe82dd80408cc14:47
paul_dhx_m: so coding today or?15:21
dhx_mpaul_: yep fixing CSRF15:22
dhx_mgetting there :)15:22
dhx_mI'm making it so that we can grep -RniA1 "<form" in the future to quickly see if CSRF is missing off a form15:23
paul_erm15:24
paul_well, I said before15:24
paul_we should have a form_start command15:24
paul_john didn't like that idea15:24
dhx_mnot every form needs CSRF though15:24
paul_sure but can't we just add for sake of it?15:25
dhx_mif I'm right... every time a CSRF form is printed but not submitted, a token is kept in the session for up to 3 days?15:25
paul_hmm15:25
dhx_mthis makes it a problem for say the sponsorship form... or the one click buttons on the bug view page15:25
dhx_mto assign, move, copy, delete, stick, etc15:26
paul_they go to a confirmation page mostly15:26
dhx_munless we change it so that these security tokens last 10 minutes15:27
dhx_mactually that wouldn't work either15:27
dhx_myou may have the bug open for 3 days in a browser window and THEN click a button to find CSRF fails15:27
dhx_mmaybe what we need instead is a sort of "captcha" page15:28
paul_eww :P15:28
paul_(after 10 minutes)15:28
dhx_mso if CSRF is expired... you have the opportunity to confirm the action15:28
dhx_ma bit too much effort though15:29
dhx_ma better idea might be to change how CSRF works15:31
dhx_mso instead of making unique hashes each time, we use a challenge-response approach15:32
dhx_mwait maybe it's not challenge response15:33
dhx_mlet me figure it out15:33
dhx_mserver sends nonce and hash(nonce+userid+secret) as hidden form fields16:16
dhx_mclient returns this value with the submitted form16:16
dhx_mserver knows secret and userid and uses nonce from client to recalculate and compare hash(nonce+userid+secret)16:16
dhx_mthat doesn't really help with anonymous form submission16:17
dhx_mmaybe it'd be better to use session_id for anonymous users16:18
dhx_mand also to strengthen it a bit more... replace userid+secret with a per-user secret16:18
dhx_mactually maybe use the session id/hash for registered users too... if you understand that "logout" will effectively prevent you from submitting a form16:28
dhx_m(that hasn't already been submitted)16:28
paul_dhx_m: we should aim to resolve 10 issues a day or something16:51
dhx_mpaul_: each? and code fixes... or just closing old tickets on the tracker?16:51
paul_whatever :)16:51
paul_I do think we need to housekeep a bit more16:52
dhx_mI like that idea :016:52
dhx_m:)16:52
paul_I like summary to be green at all times ;p16:52
dhx_m:)16:52
paul_at the moment16:52
paul_180 days = +7816:52
dhx_myeah16:53
dhx_mwe should aim to get that number to a nice value :)16:53
dhx_m-67 in 30 days is good16:53
dhx_mcould be a lot better though given our huge backlog16:53
paul_bug 1006616:54
mantisbotBug 10066 - mmger - open - new16:54
mantisbotg_allow_reporter_close has no effect - http://www.mantisbt.org/bugs/view.php?id=1006616:54
* paul_ ponders16:54
paul_having grepped code confused a bit16:54
dhx_mwould it be harsh to reply "PEBKAC" on bug 1034016:54
mantisbotBug 10340 - Naima - open - new16:54
mantisbotHttps on Mantis - http://www.mantisbt.org/bugs/view.php?id=1034016:54
paul_pebkac?16:54
dhx_mproblem exists between keyboard and chair16:55
paul_resolve politely16:55
paul_iirc we use relative links16:55
dhx_mI have no problem using Mantis via secure HTTP16:56
dhx_mso it isn't a case of Mantis spitting out http:// links and not respecting the protocol actually being used16:56
dhx_mlol at some issues saying they've been open for 2700+ days17:01
dhx_mis there a better way of doing what captcha does... that isn't captcha?17:09
dhx_mthey're useless thesedays17:09
dhx_mnot just useless... but dangerous to usability17:09
mantisbotNew bug: Bug 10632 - dhx - open - new18:27
mantisbotNew bug: Cannot update global default columns - project 0 not found - http://www.mantisbt.org/bugs/view.php?id=1063218:27
mantisbotNew bug: Bug 10633 - Mr Papa - open - new19:33
mantisbotNew bug: Product Version in View Issues Trashed After 1.2.0rc1 Upgrade - http://www.mantisbt.org/bugs/view.php?id=1063319:33
paul_repo'd19:35
paul_dhx_m: still here?20:55
mantisbotNew bug: Bug 10634 - RavenWebServices - open - new22:29
mantisbotNew bug: Fixed In Version in View Issues reads @fixed_in_version@ After 1.2.0rc1 Upgrade - http://www.mantisbt.org/bugs/view.php?id=1063422:29
CIA-18Mantisbt: paul * r938f67c1e206 /core/bug_api.php: Fix Issue #0010634: Fixed In Version in View Issues reads @fixed_in_version@ After 1.2.0rc1 Upgrade22:56
« Friday, 2009-06-26 Index Sunday, 2009-06-28 »

Generated by irclog2html.py