Closed Bug 597413 Opened 15 years ago Closed 15 years ago

request bugzilla database for research

Categories

(bugzilla.mozilla.org :: General, enhancement)

Product:
bugzilla.mozilla.org
Component:
General
Platform:
x86_64
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: oege, Assigned: justdave)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.16) Gecko/2009121601 Ubuntu/9.04 (jaunty) Firefox/3.0.16 Build Identifier: I'm a prof at the University of Oxford (where I head the Programming Languages research theme) and I run a startup company named Semmle. Here is my web page: http://www.comlab.ox.ac.uk/people/oege.demoor/ and you can find my publication record here: http://www.informatik.uni-trier.de/~ley/db/indices/a-tree/m/Moor:Oege_de.html I'd like to request a sanitized copy of the bugzilla database for research purposes, namely studying the correlation between the results of static analyses and bugs that occur in the wild. If we obtain interesting results quickly enough, I'll publish them in a keynote talk at the NASA Formal Methods symposium, April 18-20, 2011. Here is the web page for that symposium: http://lars-lab.jpl.nasa.gov/nfm2011/ I've been in touch with Gerv and justdave about this, and Dave suggested I file the present ticket for the request. Reproducible: Didn't try
Status: UNCONFIRMED → NEW
Ever confirmed: true
Justin or Luis: looking for an approval here still.
I am *extremely* keen to get started on this project, so the sooner the better. Let me know if there's anything I can do to expedite the approval process!
I believe I sent you an email about this a few weeks back, Dave; I'll double-check and resend if so. I'll also file a legal bug so we can track the discussion in a privileged manner.
The other email was about a separate bugzilla dump, my mistake. Further followup in the legal bug.
Apologies for being insistent, but I'd really like to get moving on this research project. Any progress, anything I can do to help sort it out? Many thanks for your assistance.
No apology necessary. The private discussion has concluded. Julie Martin (jmartin; CCed on this bug) is working on some language you'll need to agree to where you promise not to be evil. We hope to have that soon. And then Dave Miller (justdave; also CCed) will be able to sort you out with a copy of the database. Gerv
Julie, any progress on this? See the publication plan above. I'm pressing for getting the database because I need to tell the conference organisers what I'll be talking about; this in turn requires the data to run the experiments, and checking there's something interesting to say! Time is short... thanks for your help!
Hi, Oege. I appreciate your patience. Mozilla has a very small legal department in relation to the number of users and projects we support. Since we are creating a new agreement, we will need some time. I will get back to you asap. Julie
Hi Julie, Many thanks for your work on the new agreement. I'm fully aware I'm asking a big favour, and I appreciate it necessarily takes time. -Oege
Hi, Folks. Here is a proposed lightweight agreement. Please let me know your thoughts: Agreement for Receipt and Use of Bugzilla Data Thank you for contacting us about using the Bugzilla database for the public good. We are happy to work with you and provide access to you free of any charge. In exchange for receipt and right to use data from Mozilla’s Bugzilla system, you agree to the following: *you will only use the data for purposes that benefit the public; *you will not use the data to identify or attempt to identify security flaws in any Mozilla product or potential product; *you will not attempt to reidentify or deanonymize the source of the data or otherwise seek to extract any personal information from the data; *you will not share or transfer the data to any third party; in the event you are acquired or cease operations or have a change of control, all your rights to the data cease. *Mozilla does not make any representations or warranties about the data and you receive it on an AS-IS basis and acknowledge that it may contain bugs, viruses, or errors. Mozilla expressly dislaims any implied warranties of non-infringement, satisfactory quality, fitness for a particular purpose, and merchantability. The UN Convention on the International Sale of Goods is expressly disclaimed. *Mozilla’s total aggregate liability under this agreement shall not exceed US$50. *No agency or other relationship is created by this agreement. *This Agreement shall be governed by California law without regard to its conflict of law provisions. In the event of a dispute related to this Agreement, you consent to the personal jurisdiction of California and agree not to bring an action against Mozilla except in the state and federal courts of California, USA. Signed: ______________________________ Name: ______________________________ Date: ______________________________ Nature and Purpose of Data Use: ___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
[Oege: Julie and Harvey have agreed that we can give you the data while we are working this out. I've emailed Dave to get him to contact you and make the arrangements.] Hi Julie, I think this is a great start. A few thoughts: (In reply to comment #10) > *you will only use the data for purposes that benefit the public; What sort of purposes are you excluding here? If someone does research on the data but never publishes it (so there is no public benefit), does that make their use illegal in retrospect? > *you will not use the data to identify or attempt to identify security flaws in > any Mozilla product or potential product; In the past, we have had researchers who have attempted to identify the more "risky" areas of code for security flaws in various ways. This sort of data is useful to us - that code is risky whether we know about it or not, so we might as well know! We need to be careful about limiting legitimate security research. Is this risk here that people will scan the database for exploitable bugs and then use them? If so, I suggest that possibility is best avoided by checking the character of the data recipients. After all, if they do this, they aren't going to claim credit for the attack so we can sue them! :-) > *you will not attempt to reidentify or deanonymize the source of the data or > otherwise seek to extract any personal information from the data; The Bugzilla data is not anonymized, in that all email addresses and names remain (although not passwords). What sort of thing were you thinking we should prevent by stopping people "extracting any personal information from the data"? I can see some research avenues where people might be concerned about this clause. > *you will not share or transfer the data to any third party; in the event you > are acquired or cease operations or have a change of control, all your rights > to the data cease. I assume we don't intend to prevent people sharing the data with their research group? What about peer review (which may be by someone from another institution)? What problem are we trying to prevent with this clause, given that none of the data is confidential or secret? Gerv
Gerv: many thanks, it would be terrific if I can get the data soonest! Julie: many thanks for this draft, and for producing it so quickly. I'm of course happy to sign the eventual agreement. I don't see any particular problems for my current project, but I think all of Gerv's comments are important if this is used as a template for any research use of the data. Oege
Coincidentally, the cron job that generates these was broken until yesterday, so it's going to be tomorrow before I have one to give you anyway (it takes about 14 hours to run). I'll shoot you an email with a URL to pick it up from as soon as I have it.
Hi Dave, Thanks for your help with this. Is the cron job back in operation? Just checking that I have not missed your email with the URL somehow... -Oege
I'm literally checking my email every few hours to see whether the database is available yet - I cannot wait to get on with this research :-) Do let me know whether there's some way to contribute to making it happen! Many thanks!
Download URL and user/pass has been sent via direct email.
Assignee: nobody → justdave
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.