Page MenuHomePhabricator
Create Task
Maniphest T244076

Security Readiness Review For ChessBrowser extension
Closed, DeclinedPublic
Actions

Description

NOTE: The Security-Team will strive to set an Estimated Start date after submission

Project Information

Description of the tool/project: ChessBrowser is an extension which takes Portable Game Notation and produces an interactive user interface for viewing and navigating the chess game.

Description of how the tool will be used at WMF: The extension would primarily be used on Wikipedias to enhance encyclopedic coverage of chess games such as the Opera Game and the Evergreen Game. The Hebrew and Russian Wikipedias have a javascript gadget for this purpose, but the English Wikipedia has not done so for performance reasons. Despite this, multiple discussions on the English Wikipedia have shown a desire for a way to interactively view chess games (most recent discussion, 2016 discussion, village pump archive search).

Dependencies
None

Has this project been reviewed before?
No

Working test environment
I have a test environment set up using mediawiki vagrant. Taking any PGN and placing it between <pgn></pgn> tags will invoke the extension and allow testing. A good test example would be copying https://www.mediawiki.org/wiki/Extension:ChessBrowser/Test_games, which includes multiple games with different special behaviours.

Post-deployment
Wugapodes and DannyS712 will be primarily responsible for the code. Kipod has also contributed to the code base and may be interested in post deployment support.

Related Objects
Search...

Event Timeline

Wugapodes created this task.Feb 2 2020, 1:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 2 2020, 1:15 AM
Wugapodes added a parent task: T244075: Deploy ChessBrowser extension to Beta Cluster.Feb 2 2020, 1:17 AM
Wugapodes mentioned this in T244075: Deploy ChessBrowser extension to Beta Cluster.Feb 2 2020, 1:27 AM
Jcross triaged this task as Low priority.Feb 6 2020, 6:05 PM
Jcross lowered the priority of this task from Low to Lowest.
Jcross moved this task from Incoming to Back Orders on the Application Security Reviews board.
Jcross subscribed.Feb 6 2020, 6:13 PM

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

Wugapodes added a comment.EditedFeb 6 2020, 6:20 PM

@Jcross Thanks for the triage. That is the goal, yes, however no WMF team is sponsoring this project yet so T244075 has been stalled. You should probably triage this task as lowest priority or stall it (depending on your workflow) until I can talk more with WMF stakeholders. Thanks!

Aklapper changed the visibility from "All Users" to "Public (No Login Required)".Feb 6 2020, 6:21 PM
Jcross moved this task from Back Orders to Watching on the Application Security Reviews board.Feb 25 2020, 6:20 PM
DannyS712 raised the priority of this task from Lowest to Needs Triage.Mar 8 2020, 10:45 AM
DannyS712 added subscribers: MusikAnimal, Jdforrester-WMF.
In T244076#5857157, @Jcross wrote:

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

In T244075#5858785, @MusikAnimal wrote:
In T244075#5846485, @Jdforrester-WMF wrote:

Hey there.

Which member of Wikimedia staff is sponsoring this work?

Wugapodes reached out to me, and I discussed with this with other members of Community Tech. I think we'd like to help! I'm not sure what all you need from us, but we can commit some time to code review and assisting with deployment.

Requesting retriage per commitment from community tech

DannyS712 updated the task description. (Show Details)Mar 8 2020, 10:46 AM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Watching on the secscrum board.Mar 10 2020, 8:13 PM
DannyS712 updated the task description. (Show Details)Mar 22 2020, 10:01 PM
DannyS712 added a subscriber: chasemp.

@chasemp this was moved to "Watching" on secscrum - who should be contacted to conduct the review? Application Security Reviews says that "Workboard is tracked at secscrum."

sbassett subscribed.Mar 24 2020, 2:48 AM

@DannyS712 - per our SOP under Submission and Timelines, we'll still need some additional information before we can re-triage and schedule this review, namely the target date for deployment (Community-Tech as the deployment sponsors will need to confirm this) and a branch and commit sha signifying the development stopping point for the review, as we cannot review a moving target. If that's just 3515ac6, that's fine - please feel free to add it to the task description.

sbassett changed the task status from Open to Stalled.May 12 2020, 4:48 PM
sbassett triaged this task as Low priority.

Setting to stalled/low for now until we get a better sense of a realistic deployment timeline, confirmed by Community-Tech per above comment.

sbassett added a project: Community-Tech.May 12 2020, 4:49 PM
dmaza subscribed.Dec 26 2020, 1:53 PM
sbassett moved this task from Watching to Back Orders on the secscrum board.Feb 9 2021, 4:37 PM
RhinosF1 subscribed.Feb 9 2021, 4:46 PM
Jcross removed projects: secscrum, Application Security Reviews.Feb 9 2021, 5:07 PM

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

Aklapper added a project: Application Security Reviews.Feb 14 2021, 12:17 PM

This task is a Security Readiness Review request, so this task should be tagged with Application Security Reviews which allows to find all and any security readiness review requests by looking at tasks tagged with Application Security Reviews.
If this task is not an actionable review request, then please set its task status to "stalled". Once this task becomes actionable, please change back the task status to "open".
Thanks.

Restricted Application added a project: secscrum. · View Herald TranscriptFeb 14 2021, 12:17 PM
Aklapper removed a project: secscrum.Feb 14 2021, 12:19 PM
Restricted Application added a project: secscrum. · View Herald TranscriptFeb 14 2021, 12:19 PM
Aklapper added a comment.Feb 14 2021, 12:19 PM

That Herald rule makes no sense.

ori subscribed.Apr 7 2021, 9:40 PM

@Jcross, I am volunteering to be the deployment sponsor for this extension for the Beta cluster. I'm not currently a WMF staff member, but I am a code deployer. I have also done an initial review of this extension at T244075#6981581 and believe it poses very low risk.

Jcross added a comment.Apr 8 2021, 6:38 PM

@ori We will discuss at our next AppSec scrum and provide an update next week. Thanks!

Jcross added a comment.Apr 15 2021, 3:34 PM

Hey @ori -

Thank you for doing this work, we appreciate your efforts in trying to get this extension to production. Unfortunately, the Security team is unable to assign a risk rating based upon a review not performed by a member of the Security team or an approved vendor.

Current deployment policy states that a formal security review is not a hard blocker for beta deployment, but we would ask that a sponsoring team and/or manager at the Foundation be willing to accept at least a medium risk for the deployment of the ChessBrowser extension at this time. Please note that while the Security team would like to accommodate this review request, we likely cannot accept it for this quarter (ending July 1st, 2021) and it would remain a lower priority given our current security review SOP prioritization framework.

Please let us know if there is a sponsoring team and/or manager willing to accept at least a medium risk for deployment of this extension. Once we hear from you we will move ChessBrowser forward with our regular scheduling and prioritization process. Thank you!

ori added a comment.Apr 20 2021, 9:46 PM

@Jcross, thank you for taking up and considering this request — I appreciate it. I think we can ask around for a team to sponsor this project, but I want to make sure I understand what exactly we'd be asking for. What, practically speaking, does it mean for a team/manager to "accept at least a medium risk for deployment of this extension"?

If there's no hard-and-fast definition, here's what I propose:

The team and/or manager agree to:

  • Code-review wmf-config changes that enable the extension or alter its configuration.
  • Be on-hand for troubleshooting during the actual deployment to Beta.
  • If severe bugs are discovered, ensure that the extension is disabled.

I am deliberately leaving out any mention of the sponsoring team being on the hook to actually fix bugs, since I think that isn't necessary, would kill any chance of us finding a sponsor. I think I and the extension's authors can address bugs. If severe defects are discovered and we're unresponsive the sponsor would simply disable the extension.

Finally, the permission to go ahead with enabling this extension (if granted) would be understood to apply only to the Beta cluster and does not extend to prod wikis.

How does that sound?

Jcross added a comment.Apr 21 2021, 5:49 PM

Thanks, @ori . These assumptions sound correct to us and make a beta deployment for this extension low risk. While the Security Team is not in the business of giving thumbs up/thumbs down approvals, low risk is automatically accepted by the Foundation thus unblocking beta deployment. I hope this is helpful and helps you to move forward with the project.

MusikAnimal added a comment.Apr 22 2021, 12:26 AM

Its now sounding like maybe you don't need a sponsoring team for beta deployment, but at any rate we at Community-Tech have discussed this project again and are happy to help see it through production, including listing us as the code steward if necessary. Some of us have done a cursory code review and also believe it be low-risk. Let us know if/when you need anything. @dmaza is our interim engineering manager (and fellow chess player!) if you need manager endorsement.

sbassett closed this task as Resolved.EditedApr 27 2021, 3:59 PM
sbassett claimed this task.
sbassett moved this task from Back Orders to Our Part Is Done on the secscrum board.
In T244076#7026784, @MusikAnimal wrote:

Its now sounding like maybe you don't need a sponsoring team for beta deployment, but at any rate we at Community-Tech have discussed this project again and are happy to help see it through production, including listing us as the code steward if necessary. Some of us have done a cursory code review and also believe it be low-risk. Let us know if/when you need anything. @dmaza is our interim engineering manager (and fellow chess player!) if you need manager endorsement.

No, the Security-Team would definitely still prefer a sponsoring WMF team, to be accountable for deployment, maintenance and security issues, should any arise. And to own and accept any risk, since it's likely impossible to have volunteers and community members do that. I've gone ahead and added @dmaza and Community-Tech as the acceptors of a default medium risk for the beta-deployment of the ChessBrowser extension. Should this extension eventually find a path to wikimedia production, we would want to re-open this task and schedule a proper security readiness review.

sbassett changed the task status from Resolved to Declined.Apr 27 2021, 5:52 PM
Kipod added a comment.Apr 27 2021, 7:58 PM

@sbassett : currently, the beta deployment task, T244075 depends on this task.
iiuc, there is kind of agreement that the extension can be deployed to test wiki, maybe under some conditions.
can you please update the beta task, and clarify if it can progress despite declining this task, and if so, what needs to be done?
maybe it's clear to everyone but me...
peace.

sbassett added a comment.Apr 27 2021, 8:04 PM

Hey @Kipod - per the latest deployment doc (specifically item 4), while security readiness reviews are recommended for beta deployment, they aren't necessarily a hard blocker as they would be for production deployment. The Security-Team cannot always accommodate every review request (and the desired completion date) we receive, but as long as someone is willing to accept a default risk rating (in this case, Community-Tech) then beta deployment can proceed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL