Page MenuHomePhabricator

Early security release access for Lcawte (ShoutWiki)
Open, LowPublic

Description

A list of permissions requested and the reasoning behind your request: Early access to MediaWiki security and bugfix releases.

Wikimedia Foundation employees supporting your request (CCed): @csteipp

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Is applying private MediaWiki security patches a use case we want to support?

I think so, but that is something to take up with @demon if you think we should change it.

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

I suppose @ashley could through sudo.

Is applying private MediaWiki security patches a use case we want to support?

I think so, but that is something to take up with @demon if you think we should change it.

I like the idea in principle...

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

But this ^

Which is why I worry about the next person who asks, and the person after that. While we can ask people to sign the NDA, we can't possibly audit the people who have access to a server it gets deployed on, how secure that server is, etc.

Each person and server who gains early access to a patch increases the chance that it'll leak prior to release.

Out of curiosity, have Wikia's folks all signed NDAs for this? How do you handle larger organisations?

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

What would be required for ShoutWiki to do the same?

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

I believe it would be the company directors, either me or @Cook879.

How to proceed? In which way / how would that sign-off happen?

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

@csteipp: Has that happened?

I think that was my fault. Just sent it!

@Aklapper It's on the agenda for the next board meeting, as we never agreed we'd actually sign it as a company.

So we decided in principle that the company is happy to go ahead with this, pending the signing of NDAs to the company by people with access to the server.

Can I assume this is dead or moot at this point (2 years later)?

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

Hi, just trying to get this ticket revived/resolved in some way because it's pending for so long.

Since it was created there is an entirely new security team. So first let me add them to this to get it on the radar again.

Also, let me add Rachel from legal who deals with NDAs usually. (Yes, you are most likely right that it changed since 2015 and also a new system is in use to sign them as opposed to the legalpad in Phabricator).

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

In the past Wikia, Debian, and Gamepedia (IIRC) would get access to security bugs and their patches a few days before the release itself (e.g. T67778#709961). This practice hasn't happened recently, but our security release process has also kinda been wacky.

@Legoktm Any idea what the non-wacky version of the process is going to look like? Should we care about this or close it?

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

@lcawte I realize this issue has a long history. I'm sorry this has been such a back and forth without outcome. Over the the last year the security team has been through some changes and their are a couple of us trying to revisit where inherited tasks stand.

tldr; We want to be a useful and effective partner here, and need to define how to grant and remove this access to do it. We have a small working group to meet and define. After which you'll be the first use case. Please ping me directly if this continues to drag on, or if you have questions about status. The next couple weeks are messy because of holidays in the US but I swear this is inflight

chasemp added a subscriber: JBennett.

@JBennett I am throwing your way since you'll be the person ...certifying? approving? the workflow here at the end of the WG session(s).

lcawte signed L2 (name on the list) and #acl*release_security_pre_announce exists. What would be the next step? Add lcawte as a member to that group?

Good question. I'll put it on our agenda, but it will probably get discussed next week instead of this bc holiday. Hope things are well @Aklapper and thanks for calling this out :)

lcawte signed L2

Please note signing L2 is not considered enough anymore for volunteer shell access. Legal uses a different system to keep track of NDAs. That is why i added legal back in October 2018.

If you (security-team) want to go through WMF volunteer NDA process, please contact Rachel in Legal, she'll follow-up.

@lcawte hasn't been active in phab for a bit over a year - is this task still needed?

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

sbassett raised the priority of this task from Medium to Needs Triage.May 13 2020, 6:42 PM
sbassett moved this task from In Progress to Incoming on the Security-Team board.
sbassett added a subscriber: sbassett.

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

This likely needs a re-triage then as I'm sure it's fallen off our radar at this point. While it would be nice to have some official process in place, if the user this task concerns (@lcawte) has been inactive and/or no longer requires such access, we should probably resolve this task.

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

This likely needs a re-triage then as I'm sure it's fallen off our radar at this point. While it would be nice to have some official process in place, if the user this task concerns (@lcawte) has been inactive and/or no longer requires such access, we should probably resolve this task.

Still required. Just don't have a whole load to upstream at this particular point in time.

sbassett triaged this task as Medium priority.Jun 4 2020, 4:19 PM

Update: keeping this stalled/low for now as the Security-Team is currently working through a new draft policy for this access. We hope to introduce the formal policy/procedures soon.

Not to nag but is there any sense of a timetable for this? It's ok if it's a long one, just so we know when to ask for an update again.

@ArielGlenn - There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

@sbassett OK, I'll leave a note here to ask again in a month, without any expectation of a change however. Thanks!

There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

Hi @sbassett, any update on this? Checking as part of SRE clinic duty.

@ema - I'll bring it up as a topic at our team meeting on 2020-10-27. Since this would become a new process for the Security-Team to manage, we'd need to work out a few more policy specifics.

Aklapper changed the task status from Stalled to Open.Nov 3 2020, 11:19 AM

Doesn't sound stalled anymore per latest comments hence resetting status.

sbassett lowered the priority of this task from Medium to Low.Nov 3 2020, 3:10 PM

Doesn't sound stalled anymore per latest comments hence resetting status.

That's fine, but it's pretty low-priority for the Security-Team at the moment.

Update: @JBennett and I have been actively discussing this. There are several moving parts and likely some legal issues to be worked out and probably some additional gating/auditing procedures to design, but we're hopeful (without making any promises at this point) that we are getting closer to actual policy and procedures.

Update: The Security-Team would like to specify a pilot program next quarter (Q3 FY21) for early security release access, limited to a small number of trusted developers and maintainers of certain MediaWiki installations. @Reedy and myself will begin work on a charter with further details and with the intention to launch said program soon thereafter.

Update: unfortunately, it looks like the pilot program mentioned above likely will not happen until Q4 2021.

Just for clarification, that means Oct-Dec 2021?

Just for clarification, that means Oct-Dec 2021?

No, Apr - Jun 2021. At least that is how I understand the quarters to be defined within Betterworks, based upon WMF's fiscal year start date of July 1st.

Thanks a lot for the clarification! (I asked for clarification as most folks here won't know "Betterworks" or when some company's "FY" is meant or maybe not.)