Debian Bug report logs - #638705
RM: bugzilla -- RoST; open security issues, unmaintained

Package:; Maintainer for is Debian FTP Master <>;

Reported by: Moritz Muehlenhoff <>

Date: Sun, 21 Aug 2011 09:18:02 UTC

Severity: normal

Done: Debian FTP Masters <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Debian FTP Master <>:
Bug#638705; Package (Sun, 21 Aug 2011 09:18:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <>:
New Bug report received and forwarded. Copy sent to Debian FTP Master <>. (Sun, 21 Aug 2011 09:18:37 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Moritz Muehlenhoff <>
To: Debian Bug Tracking System <>
Subject: RM: bugzilla -- RoST; open security issues, unmaintained
Date: Sun, 21 Aug 2011 11:15:47 +0200
Severity: normal

Please remove bugzilla. It has open security issues allowing account
compromise (#611176) and the package is very hard to support without
maintainer support (which is non-existing, last upload dates back
nine months), since it's very difficult to test and the packaging
is non-standard (several scripts are being run at build time which
modify the sources in an awkward way).

Plus, Debian has been - rightfully - blamed by upstream in a posting
at Planet Mozilla that Debian provides poor security support for
Bugzilla. Right now people are better off using an upstream tarball. 

The security team will fix the open issues for oldstable/stable, but
we should remove it from the archive for unstable/testing.

Bugzilla should only reenter the archive if >= two maintainers commit 
to its maintenance.


Reply sent to Debian FTP Masters <>:
You have taken responsibility. (Tue, 23 Aug 2011 09:35:55 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <>:
Bug acknowledged by developer. (Tue, 23 Aug 2011 09:36:03 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Debian FTP Masters <>
Subject: Bug#638705: Removed package(s) from unstable
Date: Tue, 23 Aug 2011 09:24:13 +0000
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

  bugzilla | | source
 bugzilla3 | | all
bugzilla3-doc | | all

------------------- Reason -------------------
RoST; open security issues, unmaintained

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive ( and will not propagate to any
mirrors ( included) until the next cron.daily run at the

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

We try to close Bugs which have been reported against this package
automatically.  But please check all old bugs, if they where closed
correctly or should have been re-assign to another package.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to

The full log for this bug can be viewed at

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing

Debian distribution maintenance software
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <> to (Wed, 21 Sep 2011 07:31:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Thu Apr 24 07:29:54 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.