Page MenuHomePhabricator

Release 1.32.1 as a maintenance release
Closed, ResolvedPublic

Description

Looks like there's quite a few spammy issues in 1.32.0 (see T213577). I would suggest we try and do a 1.32.1 as a maintenance release to get the relevant backported fixes out to the public fairly soon

No point doing one immediately, I don't think; we should give it a little time to soak incase we get any more fed back that should be fixed more widely

Event Timeline

Reedy created this task.Jan 11 2019, 11:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2019, 11:54 PM
Reedy triaged this task as Normal priority.
greg added a subscriber: greg.

(watching until we're ready to do the mechanics of the release)

mmodell added a subscriber: mmodell.Feb 7 2019, 9:17 PM

Do we have backports ready for this?

Do we have backports ready for this?

Yesterday I went through and checked that all landed patches in MW-core have corresponding entries in RELEASE-NOTES-1.32. There aren't any tarball extension backports AFAICS: https://gerrit.wikimedia.org/r/q/branch:REL1_32+is:merged

Any chance https://gerrit.wikimedia.org/r/c/mediawiki/core/+/472746 could be backported in time? It is not a simple cherry pick (maybe because of the release notes?).

Any chance https://gerrit.wikimedia.org/r/c/mediawiki/core/+/472746 could be backported in time? It is not a simple cherry pick (maybe because of the release notes?).

Done by both Reedy and me into https://gerrit.wikimedia.org/r/c/mediawiki/core/+/489087 with removal of notes in https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/489095.

Can we bundle the planned security release with this?

Change 490265 had a related patch set uploaded (by Jforrester; owner: 20after4):
[mediawiki/core@REL1_32] Bump version to 1.32.1

https://gerrit.wikimedia.org/r/490265

Change 490265 had a related patch set uploaded (by 20after4; owner: 20after4):
[mediawiki/core@REL1_32] Bump version to 1.32.1

https://gerrit.wikimedia.org/r/490265

I think we should wait for T215566.

Change 490265 merged by jenkins-bot:
[mediawiki/core@REL1_32] Bump version to 1.32.1

https://gerrit.wikimedia.org/r/490265

So....who's doing the release? What's happening exactly?

@Legoktm: I can do it if nobody else wants to ;)

Ok I've uploaded tarballs to releases1001, they should appear soon on releases.wikimedia.org as follows:


Download:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.1.tar.gz

Patch to previous version (1.32.0):
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.patch.gz.sig


Would anyone care to verify these files before I push the tags and announce to the world that 1.32.1 is out?

greg assigned this task to mmodell.Feb 20 2019, 10:43 PM
greg added a comment.Feb 20 2019, 10:48 PM
greg@x1  ~/Downloads % gpg --fetch-keys "https://www.mediawiki.org/keys/keys.txt"
gpg: requesting key from 'https://www.mediawiki.org/keys/keys.txt'
gpg: key 75682B08E8A3FEC4: public key "Tim Starling <tstarling@wikimedia.org>" imported
gpg: key C119E1A64D70938E: 9 signatures not checked due to missing keys
gpg: key C119E1A64D70938E: public key "Brion Vibber <brion@pobox.com>" imported
gpg: key 82403E59F9F8CD79: public key "Tim Starling <tstarling@wikimedia.org>" imported
gpg: key 9B69B3109D3BB7B0: "Sam Reed <reedy@wikimedia.org>" not changed
gpg: key C119E1A64D70938E: 9 signatures not checked due to missing keys
gpg: key C119E1A64D70938E: "Brion Vibber <brion@pobox.com>" not changed
gpg: key 9B69B3109D3BB7B0: "Sam Reed <reedy@wikimedia.org>" not changed
gpg: key 72BC1C5D23107F8A: "Chad Horohoe (Alternatve personal e-mail - slightly less childish than my original) <chad@anyonecanedit.org>" not changed
gpg: key F6DAD285018FAC02: "Tyler Cipriani <tyler@tylercipriani.com>" not changed
gpg: key 361F943B15C08DD4: "Brian Wolff (Bawolff) <bawolff@gmail.com>" not changed
gpg: key 131910E01605D9AA: "Mukunda Modell (WMF) <mmodell@wikimedia.org>" 6 new signatures
gpg: key 131910E01605D9AA: "Mukunda Modell (WMF) <mmodell@wikimedia.org>" 3 new subkeys
gpg: Total number processed: 10
gpg:               imported: 3
gpg:              unchanged: 6
gpg:            new subkeys: 3
gpg:         new signatures: 6
gpg: no ultimately trusted keys found
greg@x1  ~/Downloads % gpg --verify mediawiki-core-1.32.1.tar.gz.sig
gpg: assuming signed data in 'mediawiki-core-1.32.1.tar.gz'
gpg: Signature made Wed 20 Feb 2019 05:59:39 AM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Good signature from "Mukunda Modell (WMF) <mmodell@wikimedia.org>" [unknown]
gpg:                 aka "[jpeg image of size 2928]" [unknown]
gpg:                 aka "Mukunda Modell <twentyafterfour@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C83A 8E4D 3C8F EB7C 8A3A  1998 1319 10E0 1605 D9AA
     Subkey fingerprint: D7B8 437B E5A2 D3FC 8D90  5FED 60AE 06D4 875B E862
greg@x1  ~/Downloads % gpg --verify mediawiki-1.32.1.tar.gz.sig 
gpg: assuming signed data in 'mediawiki-1.32.1.tar.gz'
gpg: Signature made Wed 20 Feb 2019 05:59:40 AM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Good signature from "Mukunda Modell (WMF) <mmodell@wikimedia.org>" [unknown]
gpg:                 aka "[jpeg image of size 2928]" [unknown]
gpg:                 aka "Mukunda Modell <twentyafterfour@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C83A 8E4D 3C8F EB7C 8A3A  1998 1319 10E0 1605 D9AA
     Subkey fingerprint: D7B8 437B E5A2 D3FC 8D90  5FED 60AE 06D4 875B E862
greg@x1  ~/Downloads % gpg --verify mediawiki-1.32.1.patch.gz.sig 
gpg: assuming signed data in 'mediawiki-1.32.1.patch.gz'
gpg: Signature made Wed 20 Feb 2019 05:59:41 AM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Good signature from "Mukunda Modell (WMF) <mmodell@wikimedia.org>" [unknown]
gpg:                 aka "[jpeg image of size 2928]" [unknown]
gpg:                 aka "Mukunda Modell <twentyafterfour@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C83A 8E4D 3C8F EB7C 8A3A  1998 1319 10E0 1605 D9AA
     Subkey fingerprint: D7B8 437B E5A2 D3FC 8D90  5FED 60AE 06D4 875B E862

I guess I should announce the release? Seems like everything is in order.

greg added a comment.Feb 21 2019, 5:34 PM

Can we bundle the planned security release with this?

Did that ^ happen?

mmodell added a comment.EditedFeb 22 2019, 1:48 AM

Did that ^ happen?

I'm not aware of any security patches that landed in 1.32.1 but I haven't announced the release yet if we want to rebuild the tarballs it's fine with me.

I still haven't announced this release. I've been overwhelmed with phabricator work and that doesn't seem to be easing up much this week.

What is blocking the release?

Read the previous comment again.

The tarballs have already been uploaded, we should just release them and plan to do the security release in a week or two. I'll help work on that.

this release was never announced. Should I just announce it now?

Yes, I think it should be announced.

Reedy updated the task description. (Show Details)Apr 30 2019, 3:59 PM

Are we going to announce it? :)

We need to get T205041 done soon, so this has some affect on that too

Ok I will send the following to the appropriate mailing lists:

Although the archives have been available for quite some time, this minor patch release was never properly announced. So without further ado, I'd like to announce the availability of MediaWiki 1.32.1, below you will find links to download and verify this release:

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.1.tar.gz

Patch to previous version (1.32.0):
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
Reedy added a comment.Apr 30 2019, 6:29 PM

Needs the git tags pushing too :)

mmodell added a comment.EditedApr 30 2019, 10:31 PM

Needs the git tags pushing too :)

git submodule foreachgit push origin 1.32.1Done

Reedy closed this task as Resolved.Apr 30 2019, 10:31 PM

Thanks! :)

Reedy added a comment.May 1 2019, 12:42 PM

It hasn't been listed in https://www.mediawiki.org/ :(

{{sofixit}} ;)