Page MenuHomePhabricator

Security review of Research landing page
Closed, ResolvedPublic

Description

Project Information

Description of the tool/project

Home page for the Research department. It will be hosted at research.wikimedia.org

Description of how the tool will be used at WMF

The project will serve as the home page of the Research Team and the things we're working on.

Dependencies

None

Has this project been reviewed before?

No, but it's a clone of the Wikimedia Style Guide.

Working test environment

https://wikimedia-research.github.io/landing-page/index.html

Post-deployment

Research will be responsible for maintaining the project.

Event Timeline

bmansurov created this task.

@dpatrick, anything I can do to get the security review started?

@bmansurov the security team is still thin post-holiday, perhaps @Reedy can take a look?

As an aside, concerns at T181115 also applies here (not sure how much we care about that)

@EBjune thanks for brining more attentation to the task.

@Bawolff thanks for linking to T181115. Our goal is to host the site at research.wikimedia.org so hopefully concerns raised there won't apply to this task. Here's a related task: T179871.

If this is going to be hosted on *.wikimedia.org, why is the code not in Gerrit? At the very least it seems like it should be in the "wikimedia" Github organization.

If this is going to be hosted on *.wikimedia.org, why is the code not in Gerrit? At the very least it seems like it should be in the "wikimedia" Github organization.

The code has been ported to gerrit. I'll update the description.

Is this definitely ready to go? Else some other commits outstanding?

A commit that says "The site isn't ready yet" and blanking a load of files doesn't give me very much confidence...

				<li><a href="https://github.com/wikimedia-research/landing-page">Source code</a></li>

Not major, but those links should be updated, it should at least link to https://github.com/wikimedia/research-landing-page (if not gerrit itself... But the gerrit repo viewer is hardly the best)

And https://github.com/wikimedia-research/landing-page is now an out of date "fork"...

JS libraries seem to be up to date (at least with current releases)

Just wondering what exactly you're wanting reviewing...?

-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 acknowledgments.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 collaborators.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 community-health.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 contact.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 events.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 increasing-diversity.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 index.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 knowledge-gaps.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 news.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 projects.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 publications.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 recommender-system-ux.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 scoring-platform.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 structured-multimedia-data.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 team.html
-rw-r--r--   1 reedy  staff      0  9 Jan 14:24 why-we-read-wikipedia.html

I only see structured-citations.html with any actual content...

Is this definitely ready to go? Else some other commits outstanding?

A commit that says "The site isn't ready yet" and blanking a load of files doesn't give me very much confidence...

Only wording of some content will change. The latest code lives at https://github.com/wikimedia/research-landing-page and that will be ported over before deployment. The commit you're referring to was introduced because we accidentally pushed the site live and had to clear out the pages before DNS changes kicked in.

Just wondering what exactly you're wanting reviewing...?

Please review https://github.com/wikimedia/research-landing-page as the gerrit repo is out of sync now.

EDIT: I've also updated the Gerrit repository with the changes from Github.

EDIT:

Just wondering what exactly you're wanting reviewing...?

As you know, we want to host the code in a production server, so a clearance from the Security team is what I'm after.

Please review https://github.com/wikimedia/research-landing-page as the gerrit repo is out of sync now.

How does this get out of sync? Gerrit should replicate to that repo?

Please review https://github.com/wikimedia/research-landing-page as the gerrit repo is out of sync now.

How does this get out of sync? Gerrit should replicate to that repo?

My bad, I meant https://github.com/wikimedia-research/landing-page and not https://github.com/wikimedia/research-landing-page.

Ok, just wanted to make sure :)

@Reedy I was wondering about the ETA on this. Would it be possible to get the review done by the weekend? We'd like to announce the new site at the developer summit.

This is still out of date

<li><a href="https://github.com/wikimedia-research/landing-page">Source code</a></li>

And why are we making merge/squash commits, rather than just pushing the commits from one remote to another? And further still, why are we still developing on the other github repo?

I notice a few email addresses, like on contact... Shouldn't these be made mailto: links?

I don't have any security concerns. You're not loading any third party external resources. The libraries you're using seem to be up to date (and as such, seemingly no known/fixed released security issues).

And then presumably T181115 becomes a non issues when this is actually hosted onsite too?

I'll fix the link before pushing.

And why are we making merge/squash commits, rather than just pushing the commits from one remote to another? And further still, why are we still developing on the other github repo?

Gerrit is rejecting fast-forwards. Any tip on how to by pass that? We're using Github temporarily because some of our contributors don't have Gerrit workflow set up.

I notice a few email addresses, like on contact... Shouldn't these be made mailto: links?

Sounds like a good idea.

I don't have any security concerns. You're not loading any third party external resources. The libraries you're using seem to be up to date (and as such, seemingly no known/fixed released security issues).

OK, sounds good.

And then presumably T181115 becomes a non issues when this is actually hosted onsite too?

Yes

And why are we making merge/squash commits, rather than just pushing the commits from one remote to another? And further still, why are we still developing on the other github repo?

Gerrit is rejecting fast-forwards. Any tip on how to by pass that? We're using Github temporarily because some of our contributors don't have Gerrit workflow set up.

rebase first? :)

Yes, I rebased too. Gerrit is complaining that the commiter email doesn't match my email. Who can merge your patch? I don't seem to have permissions to do so.

I was able to push the changes from Github to Gerrit directly.

The security review has been completed a while ago, closing this.

DarTar moved this task from Backlog to Done (current quarter) on the Research board.