Page MenuHomePhabricator

Publish the source for phabricator-antivandalism
Closed, ResolvedPublic


rPHAVA is currently private under the rational that we shouldn't teach the vandals how to avoid our countermeasures. This prevents other public phabricator installs from using the plugin. is an example of one install who could perhaps benefit from rPHAVA. There is also the possibility that others would contribute improvements to the code if it's released with an open license.

Given that the plugin is configurable and we could keep the tuning parameters private, I don't really see any harm in publishing the source.

Looking for feedback from @greg and @bd808 before I jfdi.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
mmodell triaged this task as Medium priority.Sep 4 2018, 3:21 PM
Alroilim removed mmodell as the assignee of this task.
Alroilim set Due Date to Feb 1 2019, 9:00 PM.
Alroilim updated the task description. (Show Details)
Alroilim removed subscribers: Paladox, mmodell, greg and 2 others.
Restricted Application changed the subtype of this task from "Task" to "Deadline". · View Herald TranscriptFeb 2 2019, 7:16 PM
Paladox assigned this task to mmodell.
Paladox removed Due Date.
Paladox updated the task description. (Show Details)
Paladox added subscribers: bd808, greg, mmodell and 2 others.
Restricted Application changed the subtype of this task from "Deadline" to "Task". · View Herald TranscriptFeb 2 2019, 7:30 PM
greg added a subscriber: chasemp.

Any opinions on this @chasemp or others from Security Team?

Any opinions on this @chasemp or others from Security Team?

Adding the Security-Team for your feedback. See description.

@mmodell @greg -

I think the Security-Team is fine with open-sourcing this plugin (tagging @JBennett and @Reedy as well). We already do the same for most anti-spam/vandalism tools for MediaWiki. Would this involve making what's currently in /src/config private and just putting some example config file there?

Also n.b. - the Security-Team is still in the active process of cleaning up our team workboard. We're hopeful it will soon be in a place where we can triage new backlog items, tagged tasks, etc. on at least a weekly basis. Until then, pinging one of us on irc/email is probably the best way to get eyes on a task quickly.

Making rPHAVA fully public will expose its full git history avalaible as well as its current contents. Are you sure nothing private or that can defeat the purpose of rPHAVA exists in there? I'd rather keep the repo private. Security through obscurity works.

@MarcoAurelio - a new, public-facing repo could be created to remove any reference to the sensitive config.

@mmodell @greg I'm echoing what @sbassett said above. We are all for this as long as the set thresholds and data is separated from the code. I think it would be great considering how limited these abilities are in phab vanilla. Really have appreciated all of @mmodell's hard work here. Let us know what we can do to move this forward.

Thanks @chasemp and @sbassett! I've created a new repo with no history and included a LICENSE file as well as changing the defaults so that they are not closely related to the current production configuration. Users of the extension will have to do a bit of trial and error to find the tuning parameters that are best for their specific phabricator installation.