Page MenuHomePhabricator
Create Task
Maniphest T156757

Add examples of the three security review processes
Closed, InvalidPublic
Actions

Description

Problem

Wikimedia Security Team/Security reviews lists three separate processes which are either recommended or required in order to get an extension deployed on Wikimedia servers.

For non-WMF developers it can be unclear what is needed for each review step and how the Security team expects the information to be presented.

Who would benefit

  • Anyone unfamiliar with the current review practices, likely meaning extension developers outside of the WMF.
  • The security team: Clearer expectations/instructions should hopefully help streamline new external review requests.

Proposed solution

Identify one or a few good real-life examples for each process (or at least the latter two) to promote as case studies.

Event Timeline

Lokal_Profil created this task.Jan 31 2017, 9:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2017, 9:15 AM
Lokal_Profil updated the task description. (Show Details)Jan 31 2017, 9:17 AM
Aklapper added a project: Security-Team.Jan 31 2017, 11:19 AM

(For the records, the entire process to get an extension deployed is at https://www.mediawiki.org/wiki/Review_queue as it's more than just Security.)

RHeigl awarded a token.Jan 31 2017, 4:19 PM
Bawolff subscribed.Jan 31 2017, 7:32 PM

Can you be more specific about what you find confusing? The instructions state clearly that only the last one is required (in practise most projects only do the last one. I guess things have to be required to actually happen...)

Anyways, the first two are meant to be somewhat informal meetings where we just check you are on the right track. The concept review would be just to make sure your concept is sane. For example, if your proposal is to allow raw javascript on all pages, we would like to veto that right at the beginning. The design review is meant as a quick check-in to make sure your implementation plan is sane and to be able to make any suggestions. Its always best if we can give feedback early in the process.

The review for deployment is the formal review. Your extension should be done at this point, and we check it carefully. For examples of this look at the done column of Application Security Reviews as well as tasks with that tag that are resolved fixed.

)

Bawolff added a comment.Jan 31 2017, 8:27 PM

I've attempted to flesh out the docs on wiki. Does that clarify things? Or are they still confusing?

srishakatux moved this task from To Be Triaged to On Hold on the Developer-Wishlist (2017) board.Feb 2 2017, 3:34 AM
Tgr subscribed.Feb 3 2017, 8:42 AM

@Lokal_Profil can this be resolved or is there something you are still missing from the documentation?

Qgil subscribed.Feb 3 2017, 4:03 PM

In case of doubt I would add this request to Developer-Wishlist (2017). The "worst" case scenario would be that the task is solved by the time it is voted. Not a bad problem to have. :)

srishakatux added a project: Documentation.Feb 3 2017, 11:12 PM
srishakatux moved this task from On Hold to Documentation on the Developer-Wishlist (2017) board.
srishakatux subscribed.Feb 3 2017, 11:34 PM

This project is selected for the Developer-Wishlist voting round and will be added to a MediaWiki page very soon. To the subscribers, or proposer of this task: please help modify the task description: add a brief summary (10-12 lines) of the problem that this proposal raises, topics discussed in the comments, and a proposed solution (if there is any yet). Remember to add a header with a title "Description," to your content. Please do so before February 5th, 12:00 pm UTC.

Platonides subscribed.Feb 6 2017, 10:43 PM
Lokal_Profil added a comment.Feb 8 2017, 2:00 PM

Thanks for the examples on the security review part. For me these are enough for that section.

The "Design review" section could still benefit from a few examples especially since it seems to normally consist of a more informal in-house meeting (or that is the outside impression at least). As such it is harder for someone outside of the WMF to figure out which documents they need to have prepared before etc. And examples bring this across better than just terminology.

Bawolff added a comment.Feb 8 2017, 2:56 PM

To be honest, I think the "security design review" is more wishful thinking then actual practice. I don't think most projects actually undergo it.

If you're doing something relatively different from the average mediawiki extension, having a document saying this is what we want to do, and this is in broad strokes how we're going to implement it, would probably be useful. From your perspective, you probably want to tell us enough details so that if there is something to object to, we can object before you spend time doing it, not after. [I know that's not terribly helpful...]

Qgil unsubscribed.Feb 15 2017, 2:59 PM
Quiddity subscribed.Jul 3 2018, 6:23 PM
srodlund moved this task from Backlog to Process and Planning Documentation on the Documentation board.Aug 17 2018, 10:55 PM
chasemp edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:07 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp triaged this task as Medium priority.Dec 23 2019, 5:19 PM
chasemp added a project: Application Security Reviews.Jan 7 2020, 3:47 PM
chasemp moved this task from Back Orders to Watching on the Security-Team board.
chasemp moved this task from Incoming to Back Orders on the Application Security Reviews board.
sbassett closed this task as Invalid.Jan 9 2020, 3:21 PM
sbassett moved this task from Back Orders to Our Part Is Done on the Application Security Reviews board.
sbassett subscribed.

I'm going to close this task as invalid for now, since the above discussions were related to a completely different set of security review policies which were superseded by a new SOP in February of 2019. The current SOP has continued to evolve and will likely evolve further as the Security-Team is in the process of revamping some of our intakes and workflows, which should hopefully wrap up Q3 of FY 2020. If there are still concerns over the current SOP, I would invite folks to first contribute their concerns on its talk page to keep pre-actionable discussion in a single, logical place.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jan 9 2020, 3:22 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits