I would strongly advise to NOT keep Bugzilla up in the current from longer than needed. Saying "expect years" means "for years the ops team will have to patch it for every security release and version upgrade" even though almost nobody will use it. It already did not get much love when it was the main bugtracker, it will only become worse if it's "old-bugzilla" and has no users, but it would still need support. Already while we speak there is a complicated pending patch that deals with our custom modifications as well. What i would suggest instead:
- keep static HTML of the bug pages. let's run a script that goes through all bug numbers, starting from 1 and simply saves the raw HTML. Then we can keep those static HTML files somewhere for years and nobody would mind. But we could delete the entire application, all the Perl files, anything dynamic and not have to deal with it ever again.
- and/or provide a sanitized database dump to the general public. remove the user table and the security related bugs from a database dump, then put it on dumps.wikimedia.org or something for the community to download. people generally like that when we just release dumps and they are free to work with them
this, combined with the bugzilla.wikimedia.org URLs still working and being handled by phab itself, sounds good to me without having to care about actual BZ application
Attachments should be stored as well -- including obsolete versions. See T78747: Obsolete attachments were not migrated from bugzilla