Page MenuHomePhabricator

Come up with a plan for community security reviews of MediaWiki extensions/skins
Open, LowPublic


Security is probably one of MediaWiki's biggest strengths, and we have a pretty good security review process. However, it doesn't really scale for the entire MediaWiki ecosystem, since the WMF security team doesn't have the peoplepower to review everything.

We should have a process in which other developers are designated as community security reviewers for extensions that aren't deployed to Wikimedia sites, and extension developers can request security reviews from them.

I briefly discussed this idea with @Bawolff at WikiConference NA a few weeks ago.

Event Timeline

Legoktm created this task.Nov 8 2018, 6:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 8 2018, 6:34 PM

So the next step is to get buy in from the Security-Team on this, since it relies on them for bootstrapping, and it doesn't make much sense to do it without their support.

ashley added a subscriber: ashley.Dec 3 2018, 6:56 AM
CCicalese_WMF triaged this task as Low priority.
CCicalese_WMF moved this task from Not a real column to Doing on the Platform Team Workboards board.
chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 2 2019, 8:52 PM
Akuckartz added a subscriber: Akuckartz.

Note that @Lex has some interest in this and proposed that the MediaWiki-Stakeholders-Group provide this as a service for its members. If we were to offer this (+ some code review) as a service, it might also allow us to review non-public extensions.

We would need to find someone who has the necesssary MW/Security knowledge, though. I'm open to ideas, there.