Page MenuHomePhabricator

Early security release access for Lcawte (ShoutWiki)
Open, LowPublic

Description

A list of permissions requested and the reasoning behind your request: Early access to MediaWiki security and bugfix releases.

Wikimedia Foundation employees supporting your request (CCed): @csteipp

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Qgil added a subscriber: Qgil.Jun 1 2015, 7:42 PM

Hi @lcawte, please go to {L2} and sign digitally.

Krenair added a subscriber: Krenair.Jun 1 2015, 7:44 PM
lcawte added a comment.Jun 1 2015, 7:53 PM

Hi @lcawte, please go to {L2} and sign digitally.

Signed.

Qgil triaged this task as Medium priority.Jun 1 2015, 7:54 PM
Krenair added a comment.EditedJun 1 2015, 7:57 PM

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

Qgil assigned this task to lcawte.Jul 3 2015, 9:58 AM

@lcawte, please reply.

Qgil changed the task status from Open to Stalled.Jul 28 2015, 9:00 AM

Is applying private MediaWiki security patches a use case we want to support?

csteipp added a subscriber: demon.Aug 29 2015, 12:40 AM

Is applying private MediaWiki security patches a use case we want to support?

I think so, but that is something to take up with @demon if you think we should change it.

lcawte added a subscriber: ashley.Oct 15 2015, 7:55 PM

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

I suppose @ashley could through sudo.

demon added a comment.Oct 15 2015, 8:03 PM

Is applying private MediaWiki security patches a use case we want to support?

I think so, but that is something to take up with @demon if you think we should change it.

I like the idea in principle...

@lcawte is fine, but as it seems the intention here is that you'd be patching ShoutWiki a few days before public release, who (if anyone) else would have access to the private patches live on the server? I think they'd need a WMF NDA too while private MediaWiki security patches are there.

But this ^

Which is why I worry about the next person who asks, and the person after that. While we can ask people to sign the NDA, we can't possibly audit the people who have access to a server it gets deployed on, how secure that server is, etc.

Each person and server who gains early access to a patch increases the chance that it'll leak prior to release.

Isarra added a subscriber: Isarra.Oct 16 2015, 4:13 PM

Out of curiosity, have Wikia's folks all signed NDAs for this? How do you handle larger organisations?

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

What would be required for ShoutWiki to do the same?

Adding WMF-Legal to answer @Isarra's question.

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

lcawte added a subscriber: Cook879.Oct 24 2015, 8:36 AM

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

I believe it would be the company directors, either me or @Cook879.

How to proceed? In which way / how would that sign-off happen?

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptJan 20 2016, 4:54 PM

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

@csteipp: Has that happened?

Qgil removed a subscriber: Qgil.Feb 29 2016, 8:56 AM

I think that was my fault. Just sent it!

ZhouZ moved this task from Backlog to Legal Done on the WMF-Legal board.Apr 14 2016, 12:50 AM

@Aklapper It's on the agenda for the next board meeting, as we never agreed we'd actually sign it as a company.

So we decided in principle that the company is happy to go ahead with this, pending the signing of NDAs to the company by people with access to the server.

lcawte moved this task from Backlog to Admin/Other on the ShoutWiki board.Jul 24 2016, 9:21 PM

Can I assume this is dead or moot at this point (2 years later)?

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

Dzahn added a subscriber: Dzahn.Oct 4 2018, 9:36 PM

Hi, just trying to get this ticket revived/resolved in some way because it's pending for so long.

Since it was created there is an entirely new security team. So first let me add them to this to get it on the radar again.

Also, let me add Rachel from legal who deals with NDAs usually. (Yes, you are most likely right that it changed since 2015 and also a new system is in use to sign them as opposed to the legalpad in Phabricator).

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

In the past Wikia, Debian, and Gamepedia (IIRC) would get access to security bugs and their patches a few days before the release itself (e.g. T67778#709961). This practice hasn't happened recently, but our security release process has also kinda been wacky.

@Legoktm Any idea what the non-wacky version of the process is going to look like? Should we care about this or close it?

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

@lcawte I realize this issue has a long history. I'm sorry this has been such a back and forth without outcome. Over the the last year the security team has been through some changes and their are a couple of us trying to revisit where inherited tasks stand.

tldr; We want to be a useful and effective partner here, and need to define how to grant and remove this access to do it. We have a small working group to meet and define. After which you'll be the first use case. Please ping me directly if this continues to drag on, or if you have questions about status. The next couple weeks are messy because of holidays in the US but I swear this is inflight

chasemp reassigned this task from lcawte to JBennett.Nov 13 2018, 6:35 PM
chasemp added a subscriber: JBennett.

@JBennett I am throwing your way since you'll be the person ...certifying? approving? the workflow here at the end of the WG session(s).

lcawte signed L2 (name on the list) and #acl*release_security_pre_announce exists. What would be the next step? Add lcawte as a member to that group?

Good question. I'll put it on our agenda, but it will probably get discussed next week instead of this bc holiday. Hope things are well @Aklapper and thanks for calling this out :)

lcawte signed L2

Please note signing L2 is not considered enough anymore for volunteer shell access. Legal uses a different system to keep track of NDAs. That is why i added legal back in October 2018.

Dzahn added a comment.Dec 5 2019, 6:19 PM

If you (security-team) want to go through WMF volunteer NDA process, please contact Rachel in Legal, she'll follow-up.

@lcawte hasn't been active in phab for a bit over a year - is this task still needed?

Dzahn added a comment.May 12 2020, 7:34 AM

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

sbassett raised the priority of this task from Medium to Needs Triage.May 13 2020, 6:42 PM
sbassett moved this task from In Progress to Incoming on the Security-Team board.
sbassett added a subscriber: sbassett.

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

This likely needs a re-triage then as I'm sure it's fallen off our radar at this point. While it would be nice to have some official process in place, if the user this task concerns (@lcawte) has been inactive and/or no longer requires such access, we should probably resolve this task.

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

This likely needs a re-triage then as I'm sure it's fallen off our radar at this point. While it would be nice to have some official process in place, if the user this task concerns (@lcawte) has been inactive and/or no longer requires such access, we should probably resolve this task.

Still required. Just don't have a whole load to upstream at this particular point in time.

sbassett moved this task from Incoming to Back Orders on the Security-Team board.Jun 1 2020, 3:21 PM
sbassett added a project: user-sbassett.
sbassett claimed this task.Jun 1 2020, 9:22 PM
sbassett triaged this task as Medium priority.Jun 4 2020, 4:19 PM

Update: keeping this stalled/low for now as the Security-Team is currently working through a new draft policy for this access. We hope to introduce the formal policy/procedures soon.

sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett moved this task from In Progress to Waiting on the user-sbassett board.Aug 31 2020, 9:08 PM

Not to nag but is there any sense of a timetable for this? It's ok if it's a long one, just so we know when to ask for an update again.

@ArielGlenn - There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

@sbassett OK, I'll leave a note here to ask again in a month, without any expectation of a change however. Thanks!

sbassett moved this task from Waiting to Postponed on the user-sbassett board.Oct 8 2020, 3:42 PM
mark added a subscriber: mark.Oct 26 2020, 11:11 AM
ema added a subscriber: ema.Oct 26 2020, 12:24 PM

There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

Hi @sbassett, any update on this? Checking as part of SRE clinic duty.

@ema - I'll bring it up as a topic at our team meeting on 2020-10-27. Since this would become a new process for the Security-Team to manage, we'd need to work out a few more policy specifics.

Aklapper changed the task status from Stalled to Open.Nov 3 2020, 11:19 AM

Doesn't sound stalled anymore per latest comments hence resetting status.

sbassett lowered the priority of this task from Medium to Low.Nov 3 2020, 3:10 PM

Doesn't sound stalled anymore per latest comments hence resetting status.

That's fine, but it's pretty low-priority for the Security-Team at the moment.

Update: @JBennett and I have been actively discussing this. There are several moving parts and likely some legal issues to be worked out and probably some additional gating/auditing procedures to design, but we're hopeful (without making any promises at this point) that we are getting closer to actual policy and procedures.

sbassett added a subscriber: Reedy.Mon, Nov 16, 3:56 PM

Update: The Security-Team would like to specify a pilot program next quarter (Q3 FY21) for early security release access, limited to a small number of trusted developers and maintainers of certain MediaWiki installations. @Reedy and myself will begin work on a charter with further details and with the intention to launch said program soon thereafter.