Page MenuHomePhabricator

Early security release access for Lcawte (ShoutWiki)
Open, Stalled, NormalPublic

Description

A list of permissions requested and the reasoning behind your request: Early access to MediaWiki security and bugfix releases.

Wikimedia Foundation employees supporting your request (CCed): @csteipp

Event Timeline

lcawte created this task.Jun 1 2015, 7:04 PM
lcawte raised the priority of this task from to Needs Triage.
lcawte updated the task description. (Show Details)
lcawte added a project: WMF-NDA-Requests.
lcawte added subscribers: lcawte, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 1 2015, 7:04 PM

I support ShoutWiki getting early access!

Qgil added a subscriber: Qgil.Jun 1 2015, 7:42 PM

Hi @lcawte, please go to {L2} and sign digitally.

Krenair added a subscriber: Krenair.Jun 1 2015, 7:44 PM
lcawte added a comment.Jun 1 2015, 7:53 PM

Hi @lcawte, please go to {L2} and sign digitally.

Signed.

Qgil triaged this task as Normal priority.Jun 1 2015, 7:54 PM
Krenair added a comment.EditedJun 1 2015, 7:57 PM

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

Qgil assigned this task to lcawte.Jul 3 2015, 9:58 AM

@lcawte, please reply.

Qgil changed the task status from Open to Stalled.Jul 28 2015, 9:00 AM

Is applying private MediaWiki security patches a use case we want to support?

csteipp added a subscriber: demon.Aug 29 2015, 12:40 AM

Is applying private MediaWiki security patches a use case we want to support?

I think so, but that is something to take up with @demon if you think we should change it.

lcawte added a subscriber: ashley.Oct 15 2015, 7:55 PM

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

I suppose @ashley could through sudo.

demon added a comment.Oct 15 2015, 8:03 PM

Is applying private MediaWiki security patches a use case we want to support?

I think so, but that is something to take up with @demon if you think we should change it.

I like the idea in principle...

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

But this ^

Which is why I worry about the next person who asks, and the person after that. While we can ask people to sign the NDA, we can't possibly audit the people who have access to a server it gets deployed on, how secure that server is, etc.

Each person and server who gains early access to a patch increases the chance that it'll leak prior to release.

Isarra added a subscriber: Isarra.Oct 16 2015, 4:13 PM

Out of curiosity, have Wikia's folks all signed NDAs for this? How do you handle larger organisations?

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

What would be required for ShoutWiki to do the same?

Adding WMF-Legal to answer @Isarra's question.

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

lcawte added a subscriber: Cook879.Oct 24 2015, 8:36 AM

Sorry, I dropped this one.
I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

I believe it would be the company directors, either me or @Cook879.

How to proceed? In which way / how would that sign-off happen?

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptJan 20 2016, 4:54 PM

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

@csteipp: Has that happened?

Qgil removed a subscriber: Qgil.Feb 29 2016, 8:56 AM

I think that was my fault. Just sent it!

ZhouZ moved this task from Backlog to Legal Done on the WMF-Legal board.Apr 14 2016, 12:50 AM

@Aklapper It's on the agenda for the next board meeting, as we never agreed we'd actually sign it as a company.

So we decided in principle that the company is happy to go ahead with this, pending the signing of NDAs to the company by people with access to the server.

lcawte moved this task from Backlog to Admin/Other on the ShoutWiki board.Jul 24 2016, 9:21 PM

Can I assume this is dead or moot at this point (2 years later)?

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

Dzahn added a subscriber: Dzahn.Oct 4 2018, 9:36 PM

Hi, just trying to get this ticket revived/resolved in some way because it's pending for so long.

Since it was created there is an entirely new security team. So first let me add them to this to get it on the radar again.

Also, let me add Rachel from legal who deals with NDAs usually. (Yes, you are most likely right that it changed since 2015 and also a new system is in use to sign them as opposed to the legalpad in Phabricator).

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

In the past Wikia, Debian, and Gamepedia (IIRC) would get access to security bugs and their patches a few days before the release itself (e.g. T67778#709961). This practice hasn't happened recently, but our security release process has also kinda been wacky.

@Legoktm Any idea what the non-wacky version of the process is going to look like? Should we care about this or close it?

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

@lcawte I realize this issue has a long history. I'm sorry this has been such a back and forth without outcome. Over the the last year the security team has been through some changes and their are a couple of us trying to revisit where inherited tasks stand.

tldr; We want to be a useful and effective partner here, and need to define how to grant and remove this access to do it. We have a small working group to meet and define. After which you'll be the first use case. Please ping me directly if this continues to drag on, or if you have questions about status. The next couple weeks are messy because of holidays in the US but I swear this is inflight

chasemp reassigned this task from lcawte to JBennett.Nov 13 2018, 6:35 PM
chasemp added a subscriber: JBennett.

@JBennett I am throwing your way since you'll be the person ...certifying? approving? the workflow here at the end of the WG session(s).