Page MenuHomePhabricator
Create Task
Maniphest T180615

https://www.mediawiki.org/keys/keys.html contains keys of people no longer doing releases.
Closed, ResolvedPublic
Actions

Description

https://www.mediawiki.org/keys/keys.html contains keys for csteipp, hexmode and markus glasser despite the fact that these people are no longer doing releases.

We should maybe indicate on the page that these keys are for verifying historical releases only, and that these people no longer do mediawiki releases.

It was also suggested on #mediawiki_security that maybe instead of using individual personal keys, we should have a mediawiki release key not tied to a specific person, perhaps using some sort of secret splitting scheme.

Details

SubjectRepoBranchLines +/-
keys: Note that Chris, Mark and Markus are no longer releasing new versionsoperations/mediawiki-configmaster+116 -116
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Nov 15 2017, 5:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 15 2017, 5:42 PM
Legoktm subscribed.Nov 15 2017, 6:14 PM

The older keys should also be removed from https://www.mediawiki.org/keys/keys.txt

Legoktm added a comment.Nov 15 2017, 6:55 PM

It was also suggested on #mediawik_security that maybe instead of using individual personal keys, we should have a mediawiki release key not tied to a specific person, perhaps using some sort of secret splitting scheme.

There already exists a key for releases.wm.o use in the debian repo: https://wikitech.wikimedia.org/wiki/Releases.wikimedia.org#GPG_operations - I'm not sure if that can be re-used or is suitable for this purpose. But maybe that could be a separate, public task? Updating keys.html/keys.txt should be a quick thing to do.

Legoktm added a comment.Nov 20 2017, 12:12 AM

Is it OK if I put up a patch in public for this?

Bawolff added a comment.Nov 20 2017, 4:24 AM

Yeah. Theres no reason for this to be secret.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 20 2017, 4:25 AM
gerritbot subscribed.Nov 20 2017, 7:23 PM

Change 392462 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[operations/mediawiki-config@master] keys: Note that Chris, Mark and Markus are no longer releasing new versions

https://gerrit.wikimedia.org/r/392462

gerritbot added a project: Patch-For-Review.Nov 20 2017, 7:23 PM
Legoktm claimed this task.Nov 20 2017, 7:27 PM

@Bawolff Also, what should we do about expired keys? Tim has two keys listed, and both are already expired. Should we just replace it with his new key (what he would use if he had to make a release in the future)?

Legoktm added a parent task: T181017: Cleanup https://www.mediawiki.org/keys/keys.html and related.Nov 21 2017, 1:24 AM
Legoktm mentioned this in T181019: Consider using a single MediaWiki releases key instead of individual keys .Nov 21 2017, 1:33 AM

I filed T181019: Consider using a single MediaWiki releases key instead of individual keys for using a release key.

dpatrick updated the task description. (Show Details)Nov 22 2017, 6:01 PM
dpatrick triaged this task as High priority.Nov 22 2017, 6:16 PM
gerritbot added a comment.Nov 23 2017, 1:00 AM

Change 392462 merged by Chad:
[operations/mediawiki-config@master] keys: Note that Chris, Mark and Markus are no longer releasing new versions

https://gerrit.wikimedia.org/r/392462

Legoktm closed this task as Resolved.Nov 23 2017, 6:27 AM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper renamed this task from https://www.mediawiki.org/keys/keys.html contains keys if people no longer doing releases. to https://www.mediawiki.org/keys/keys.html contains keys of people no longer doing releases..May 22 2020, 1:03 PM
Aklapper added a project: MediaWiki-Releasing.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL