Page MenuHomePhabricator
Create Task
Maniphest T327006

Bundle Extension:TemplateStyles with MediaWiki core
Open, MediumPublicFeature
Actions

Description

Necessary for any wiki that wants to copy templates from Wikipedia and many other WMF wikis (and increasingly, from third-party wikis as well).

Checklist:

  • Passed discussion or already Wikimedia deployed
  • Passed security review or already Wikimedia deployed
  • Voting CI structure tests
  • Runs MediaWiki-CodeSniffer
  • Runs phan
  • Supports MySQL, SQLite, and Postgres (if there are schema changes)
  • GPL v2 or later compatible license
  • Extension's default configuration provides optimal experience
  • Tested with web installer
  • Any relevant dependencies also bundled

Related Objects

Event Timeline

Bugreporter2 created this task.Jan 14 2023, 10:39 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2023, 10:39 AM
Bugreporter2 mentioned this in T317146: Expand the set of bundled extensions and skins in MediaWiki 1.40.Jan 14 2023, 10:42 AM
matej_suchanek merged a task: T327005: Bundle Extension:TemplateStyles with MediaWiki core.Jan 14 2023, 11:04 AM
taavi added projects: TemplateStyles, MediaWiki-Releasing, MW-1.40-release.Jan 14 2023, 11:14 AM
taavi updated the task description. (Show Details)
Dinoguy1000 awarded a token.Jan 14 2023, 4:06 PM
Dinoguy1000 subscribed.
Tgr updated the task description. (Show Details)Jan 14 2023, 9:23 PM
Frostly subscribed.Jan 14 2023, 11:18 PM
Reedy updated the task description. (Show Details)Jan 15 2023, 2:23 AM
Tgr added subscribers: Reedy, Tgr.Jan 15 2023, 4:01 AM

@Reedy I don't think there are any relevant dependencies.

Reedy added a comment.Jan 15 2023, 1:00 PM

css-sanitizer

The item in the check list is vague. Yes it’s already in master, but it’s not currently included in release branches

Tgr added a comment.Jan 15 2023, 8:59 PM

css-sanititer is a Composer dependency. I thought those get packaged automatically in the bundle?

Reedy added a comment.Jan 15 2023, 9:21 PM
In T327006#8526678, @Tgr wrote:

css-sanititer is a Composer dependency. I thought those get packaged automatically in the bundle?

Automatically, as far as what is in the vendor branch (submoduled into the REL1_XX branch) is included. And the REL1_XX branch of vendor is made by (manually, because the tracking of dependancies is hard) trimming the master branch.

Like I say, "Any relevant dependencies also bundled" is vague... It could cover dependant skins/extensions, composer libraries etc.

Bundled would suggest currently included etc. Whereas it's not currently, so it is not currently bundled. It can be (trivially) bundled in future.

I know, it's semantics.

Tgr added a comment.Jan 15 2023, 9:53 PM

Why aren't we just using composer install? There's a security disadvantage in theory, but the moment you install any other extension you'll get vendor code generated by Composer anyway...

In any case, what's the actionable part? The trimming will only happen when REL1_40 is cut, right? Should a notice be added somewhere about css-sanitizer now being a bundle dependency?

(manually, because the tracking of dependancies is hard)

I tried to add more formal tracking at one point but it didn't garner much interest.

Reedy added a comment.Jan 15 2023, 10:09 PM
In T327006#8526704, @Tgr wrote:

Why aren't we just using composer install? There's a security disadvantage in theory, but the moment you install any other extension you'll get vendor code generated by Composer anyway...

We'd have to setup/use composer merge plugin for that to work. As it'd need to know about the core + any skin/extension dependancies...

But then we also lose the pinning of individual packages like we do. As in the composer.json in MW Core, we don't pin every individual and dependant package like we (or at least try to) do in Vendor

In T327006#8526704, @Tgr wrote:

In any case, what's the actionable part? The trimming will only happen when REL1_40 is cut, right? Should a notice be added somewhere about css-sanitizer now being a bundle dependency?

It's part of the bigger issue (as below). It's not uncommon we miss (or leave something extra) in vendor when we do the manual trimming.

In T327006#8526704, @Tgr wrote:

(manually, because the tracking of dependancies is hard)

I tried to add more formal tracking at one point but it didn't garner much interest.

I know :). But just pointing out (for others watching too) how awkward this kinda gets.

Yes, this is all very rough around the edges.

And like I say, what "Any relevant dependencies also bundled" actually means is vague at best.

Bugreporter2 triaged this task as Medium priority.Jan 16 2023, 1:57 PM
Jdforrester-WMF moved this task from Blocker to Bundling on the MW-1.40-release board.Feb 7 2023, 5:57 PM
Jdforrester-WMF removed a project: MW-1.40-release.Mar 28 2023, 9:37 PM
Jdforrester-WMF mentioned this in T333405: Expand the set of bundled extensions and skins in MediaWiki 1.43.
stjn awarded a token.Feb 22 2024, 10:13 PM
Prod subscribed.Feb 23 2024, 2:12 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL