Page MenuHomePhabricator

AbuseFilter (and dependencies): code stewardship review
Closed, ResolvedPublic

Tokens
"Like" token, awarded by Pcoombe."Like" token, awarded by Daimona."Burninate" token, awarded by Vituzzu."Burninate" token, awarded by Ankit-Maity."Barnstar" token, awarded by Xaosflux."Like" token, awarded by MusikAnimal."Like" token, awarded by Liuxinyu970226."Meh!" token, awarded by Ladsgroup."Like" token, awarded by Huji.
Assigned To
Authored By
kaldari, Jan 17 2018

Description

Current developers/maintainers:
None of the AbuseFilter related software has an owner. There are a few people who have volunteered as maintainers, but in practice, most bugs are ignored unless they are fatal.

  • AbuseFilter: Marius Hoch (User:Hoo man), volunteer; In-training: Legoktm, se4598, Matěj Suchánek
  • AntiSpoof: Brion Vibber?, Sam Reed
  • Equivset: David Barratt, Dayllan Maza

Number, severity, and age of known and confirmed security issues:
There are currently 21 open security bugs in AbuseFilter, 7 of which are high priority. AntiSpoof has 2 open security bugs.

Was it a cause of production outages or incidents? List them.
I've only listed security bugs. I don't know about other security issues related to AbuseFilter.

Does it have sufficient hardware resources for now and the near future (to take into account expected usage growth)?
Probably in it's current form, although performance has always been a concern with AbuseFilter. If we ever want to replace it with a more robust tool, it may need more hardware resources.

Is it a frequent cause of monitoring alerts that need action, and are they addressed timely and appropriately?
N/A

When it was first deployed to Wikimedia production
In the days of yore (2008?)

Usage statistics based on audience(s) served
Every edit to every WMF wiki.

Changes committed in last 1, 3, 6, and 12 months
Mostly just i18n and basic code maintenance. The biggest change in the past year was moving Equivset out of AntiSpoof and into its own library.
https://github.com/wikimedia/mediawiki-extensions-AbuseFilter/commits/master
https://github.com/wikimedia/mediawiki-extensions-AntiSpoof/commits/master
https://github.com/wikimedia/Equivset/commits/master

Reliance on outdated platforms (e.g. operating systems)
Not that I know of.

Number of developers who committed code in the last 1, 3, 6, and 12 months
?

Number and age of open patches
?

Number and age of open bugs
AbuseFilter: 311 open bugs (dating back to the Bugzilla days)
AntiSpoof: 23 open bugs
Equivset: 5 open bugs

Number of known dependencies?
AbuseFilter and AntiSpoof both depends on Equivset which depends on utfnormal.

Is there a replacement/alternative for the feature? Is there a plan for a replacement?
No

Event Timeline

kaldari created this task.Jan 17 2018, 10:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 17 2018, 10:42 PM
kaldari updated the task description. (Show Details)Jan 17 2018, 10:52 PM
kaldari updated the task description. (Show Details)Jan 17 2018, 10:56 PM
kaldari updated the task description. (Show Details)Jan 17 2018, 11:12 PM
greg triaged this task as Normal priority.Jan 18 2018, 7:09 PM

(adding people mentioned in the description as (almost) maintainers of the parts)

dmaza updated the task description. (Show Details)Jan 20 2018, 2:29 AM
Huji awarded a token.Jan 20 2018, 3:50 PM
MusikAnimal added a subscriber: MusikAnimal.EditedJan 29 2018, 6:02 PM

It probably goes without saying that AbuseFilter is indispensable. Especially on larger wikis, it automates a great deal of work for us, and I hear horror stories of what the patrollers went through before AbuseFilter was a thing. Ongoing maintenance and support of this extension should be paramount.

performance has always been a concern with AbuseFilter. If we ever want to replace it with a more robust tool, it may need more hardware resources.

By design there's always potential for performance implications, but I would argue that under the current or a similar system, the primary responsibility of keeping it efficient lies with the filter author. The issue here is that often the author is unaware they are slowing anything down. T177017 and T161059 helped us on enwiki, but the this profiling is still absent on many other wikis. Ideas for further improvements can be found at T176895, T102903, T179604, and T175954.

I would like to also stress that the extension seems to be slowly degrading, or has had regressions introduced over time. On enwiki at least, we've found malfunctions are more common these days, and nearly something we've come to expect. See T175933 for a parent task.

He7d3r added a subscriber: He7d3r.Jan 29 2018, 6:44 PM
Wiki13 added a subscriber: Wiki13.Jan 29 2018, 7:20 PM
Huji added a subscriber: Huji.Jan 30 2018, 2:27 AM

Adding myself, as someone who has contributed a bit to AbuseFilter. Also echoing what @MusikAnimal said above.

I think what we need is not an owner, or a faster turnaround time for the bugs. It is a "vision". We need someone to plan a road map as to what AbuseFilter needs to look like in 12 months. I am most certainly not the person for that. Legoktm or Matěj might be.

Just per previous comments, this extension needs to be kept. Apparently, Anti-Harassment team has brought some new features to it recently and AFAIK it's still working on eg. making its performance better.

Maintainers should at least listen to wiki administrators what they think could be better and doesn't work and try to fix that. Of course, with greater human resoures we can make greater changes.

Also adding @Jackmcbarn who seems to be added automatically as a review on gerrit whenever an AbuseFilter patch is submitted.

Samwalton9 added a subscriber: Samwalton9.EditedJan 31 2018, 11:36 AM

My impression was that the Anti-Harassment team was doing analysis of AbuseFilter use and needs so as to take ownership, or at least to do some significant work, on it. Is that no longer the case?

I'd also like to echo the above, AbuseFilter is a vital component of Wiki maintenance, and should absolutely be given more time/resources than it currently has.

In mid 2017 the WMF's Anti-Harassment Tools team investigated if the AbuseFilter could be used to log/prevent identifiable harassment as it does for spam and vandalism. We determined that AbuseFilter is not the correct tool for this job (and that logging identifiable harassment is a weak product idea, given the nuances involved in harassing language and the high likelihood for false positives.

We did some minimal work during our product investigation (including add some performance monitoring, made some small fixes/changes to AntiSpoof, and added a new ccnorm function for AbuseFilter.)

The Anti-Harassment Tools team is 2 developers, and while they are rockstars we have grant obligations to accomplish. Ownership of the AbuseFilter would dominate our roadmap.

And I'll echo the echo: AbuseFilter is a vital component of Wiki maintenance, and should absolutely be given more time/resources than it currently has. Not just for maintenance but also for the possibilities of adding new functionality to make it more powerful. Here is our project page, on which we've documented new feature requests and other information: https://meta.wikimedia.org/wiki/Community_health_initiative/AbuseFilter

I'd like to echo what @MusikAnimal and @Xaosflux said wrt AbuseFilter being a critical extension. I've left comments here as well but I'd be horrorized to see this feature removed. As administrator on some local wikis and as steward I can vouch about the usefulness of this extension. The introduction of global filters have improved the crosswiki vandalism and spam prevention a lot.

Yes, AbuseFilter needs more resources, as CheckUser does, and not just for fixing UBN bugs. We need active development here. I propose that WMF funds a team of people to take care of this kind of critical extensions. We can't afford loosing the support of this tools.

Stryn added a subscriber: Stryn.Feb 1 2018, 5:42 PM
Daimona added a subscriber: Daimona.

Proposal is for Platform Team to be the stewards for this extension due to knowledge and scope of team. Anti-Harassment Tools team is a potential candidate due their activity on the extension, but it is thought to be outside their scope. jrbranaa working with Platform team to see if they are willing to be this extension's steward.

Are there any recent discussions somewhere else other than in this ticket and here?
We all agree that this is extremely vital and in need of direction and it's been almost 4 months since this was created so is there a way to escalate this issue?

@dmaza: Discussions have been ongoing among product and tech leadership since February (mostly over email). Unfortunately, finding stewards for orphaned code isn't an easy task, but I think we're making progress. Stay tuned.

Huji added a comment.Apr 11 2018, 1:33 PM

In the meantine, @Daimona, @matej_suchanek and I have been actively working on AbuseFilter over the last 2-3 months with many patches created and merged. Most of our work is "patchwork" (as opposed to major overhaul) for now. It is best to postpone major overhaul to when either we have stewards or we become seasoned enough in this code to be the stewards,

Yeah, Huji is right. For the moment we're focusing on sanitization of corrupted outputs and enhancing the interface, plus adding some useful missing features. However, a major overhaul is highly desirable and should be done, sooner or later, when the context will allow it.

@dmaza I'm in active discussions with the Platform team. It looks like they will be taking on the stewardship of AbuseFilter. We're in the process of defining what that will mean in-terms of task/review responsiveness. However, we do agree that the Platform team is the right home for it. More to come.

In the meantine, @Daimona, @matej_suchanek and I have been actively working on AbuseFilter over the last 2-3 months with many patches created and merged. Most of our work is "patchwork" (as opposed to major overhaul) for now. It is best to postpone major overhaul to when either we have stewards or we become seasoned enough in this code to be the stewards,

And you all have been doing a fantastic job! Since both you and Matej have +2 rights, I'd consider you to be the de facto maintainers at this point. There's still value in having a "responsible WMF team", but I don't believe that should stop or hold you back from future improvements you'd like to make :)

Huji added a comment.Apr 13 2018, 12:54 PM

And you all have been doing a fantastic job! Since both you and Matej have +2 rights, I'd consider you to be the de facto maintainers at this point. There's still value in having a "responsible WMF team", but I don't believe that should stop or hold you back from future improvements you'd like to make :)

Thanks. We don't think (or at least I don't think) things are held back because of lack of WMF-assigned team. But having the support of such can certainly boost things up.

dmaza added a comment.Apr 16 2018, 7:28 PM

Well that's great hear (All of the above). And +1 to what @Legoktm said and kudos to @Daimona, @matej_suchanek and @Huji for the work and improvements.
Btw, feel free to hit me up for code reviews. I'll try to help whenever I can.

Huji added a comment.Apr 16 2018, 10:12 PM

@dmaza we have a few patches that are more than minimal improvements, and we need someone more daring to +2 them, so I'm going to add you as reviewer on those in the next day or so.

Jrbranaa closed this task as Resolved.Jun 7 2018, 11:24 PM
Jrbranaa claimed this task.

Updated to developers/maintainers page to reflect Code Stewardship being assigned to MediaWiki Platform team.