Page MenuHomePhabricator
Create Task
Maniphest T202080

Publish the source for phabricator-antivandalism
Closed, ResolvedPublic
Actions

Description

rPHAVA is currently private under the rational that we shouldn't teach the vandals how to avoid our countermeasures. This prevents other public phabricator installs from using the plugin. https://discourse.phabricator-community.org/t/spam-countermeasures/1601 is an example of one install who could perhaps benefit from rPHAVA. There is also the possibility that others would contribute improvements to the code if it's released with an open license.

Given that the plugin is configurable and we could keep the tuning parameters private, I don't really see any harm in publishing the source.

Looking for feedback from @greg and @bd808 before I jfdi.

Event Timeline

mmodell created this task.Aug 16 2018, 5:24 PM
Restricted Application added a project: Release-Engineering-Team (Kanban). · View Herald TranscriptAug 16 2018, 5:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
mmodell added a project: Phabricator.Aug 16 2018, 5:24 PM
Paladox subscribed.Aug 16 2018, 5:28 PM
Aklapper awarded a token.Aug 16 2018, 5:47 PM
Aklapper moved this task from To Triage to Misc on the Phabricator board.Aug 29 2018, 6:27 PM
mmodell triaged this task as Medium priority.Sep 4 2018, 3:21 PM
mmodell added a project: User-MModell.Sep 10 2018, 4:51 PM
mmodell moved this task from Backlog to Soon on the User-MModell board.Sep 10 2018, 4:58 PM
Alroilim closed this task as Declined.Feb 2 2019, 7:16 PM
Alroilim removed mmodell as the assignee of this task.
Alroilim set Due Date to Feb 1 2019, 9:00 PM.
Alroilim removed projects: User-MModell, Phabricator, Release-Engineering-Team (Kanban).
Alroilim updated the task description. (Show Details)
Alroilim removed subscribers: Paladox, mmodell, greg and 2 others.
Restricted Application changed the subtype of this task from "Task" to "Deadline". · View Herald TranscriptFeb 2 2019, 7:16 PM
Paladox reopened this task as Open.Feb 2 2019, 7:30 PM
Paladox assigned this task to mmodell.
Paladox removed Due Date.
Paladox added projects: Phabricator, Release-Engineering-Team, User-MModell.
Paladox updated the task description. (Show Details)
Paladox added subscribers: bd808, greg, mmodell and 2 others.
Restricted Application changed the subtype of this task from "Deadline" to "Task". · View Herald TranscriptFeb 2 2019, 7:30 PM
greg moved this task from INBOX to Kanban on the Release-Engineering-Team board.Mar 5 2019, 12:42 AM
greg edited projects, added Release-Engineering-Team (Kanban); removed Release-Engineering-Team.
greg moved this task from Backlog to Blocked (externally) on the Release-Engineering-Team (Kanban) board.May 23 2019, 10:44 PM
greg added a subscriber: chasemp.

Any opinions on this @chasemp or others from Security Team?

greg edited projects, added Release-Engineering-Team-TODO (201907); removed Release-Engineering-Team (Kanban).Jul 1 2019, 9:23 PM
greg moved this task from INBOX to Blocked externally on the Release-Engineering-Team-TODO (201907) board.Jul 1 2019, 9:23 PM
greg added a project: Security-Team.Jul 25 2019, 11:05 PM
In T202080#5209386, @greg wrote:

Any opinions on this @chasemp or others from Security Team?

Adding the Security-Team for your feedback. See description.

greg added a project: Release-Engineering-Team (Development services).Jul 25 2019, 11:39 PM
mmodell edited projects, added Release-Engineering-Team-TODO (201908); removed Release-Engineering-Team-TODO (201907).Jul 29 2019, 4:23 PM
mmodell moved this task from INBOX to Blocked externally on the Release-Engineering-Team-TODO (201908) board.
mmodell moved this task from Soon to Blocked or Stalled on the User-MModell board.Jul 30 2019, 5:54 PM
thcipriani moved this task from 201908 to Blocked externally on the Release-Engineering-Team-TODO board.Sep 3 2019, 4:18 PM
thcipriani edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team-TODO (201908).
SresKnjlJU moved this task from Incoming to To Follow Up on the Security-Team board.Sep 17 2019, 10:13 AM
Jcross moved this task from To Follow Up to Waiting on the Security-Team board.Sep 23 2019, 4:12 PM
sbassett added subscribers: JBennett, Reedy, sbassett.Sep 23 2019, 6:16 PM

@mmodell @greg -

I think the Security-Team is fine with open-sourcing this plugin (tagging @JBennett and @Reedy as well). We already do the same for most anti-spam/vandalism tools for MediaWiki. Would this involve making what's currently in /src/config private and just putting some example config file there?

Also n.b. - the Security-Team is still in the active process of cleaning up our team workboard. We're hopeful it will soon be in a place where we can triage new backlog items, tagged tasks, etc. on at least a weekly basis. Until then, pinging one of us on irc/email is probably the best way to get eyes on a task quickly.

MarcoAurelio subscribed.Sep 23 2019, 9:01 PM

Making rPHAVA fully public will expose its full git history avalaible as well as its current contents. Are you sure nothing private or that can defeat the purpose of rPHAVA exists in there? I'd rather keep the repo private. Security through obscurity works.

Krenair subscribed.Sep 23 2019, 9:04 PM
sbassett added a comment.Sep 23 2019, 9:30 PM

@MarcoAurelio - a new, public-facing repo could be created to remove any reference to the sensitive config.

chasemp added a comment.Dec 4 2019, 4:05 PM

@mmodell @greg I'm echoing what @sbassett said above. We are all for this as long as the set thresholds and data is separated from the code. I think it would be great considering how limited these abilities are in phab vanilla. Really have appreciated all of @mmodell's hard work here. Let us know what we can do to move this forward.

chasemp moved this task from Waiting to Watching on the Security-Team board.Dec 23 2019, 5:27 PM
mmodell added a project: Phabricator Antivandalism Extension.Jan 5 2020, 11:00 AM

Thanks @chasemp and @sbassett! I've created a new repo with no history and included a LICENSE file as well as changing the defaults so that they are not closely related to the current production configuration. Users of the extension will have to do a bit of trial and error to find the tuning parameters that are best for their specific phabricator installation.

mmodell added a comment.Jan 5 2020, 11:05 AM

https://gerrit.wikimedia.org/g/phabricator/antivandalism/+/refs/heads/master

mmodell closed this task as Resolved.Jan 5 2020, 11:15 AM
mmodell moved this task from Blocked externally to Done (within RelEng) on the Release-Engineering-Team-TODO board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL