Page MenuHomePhabricator

Release 1.32.1 as a maintenance release
Closed, ResolvedPublic

Description

Looks like there's quite a few spammy issues in 1.32.0 (see T213577). I would suggest we try and do a 1.32.1 as a maintenance release to get the relevant backported fixes out to the public fairly soon

No point doing one immediately, I don't think; we should give it a little time to soak incase we get any more fed back that should be fixed more widely

Event Timeline

greg added a subscriber: greg.

(watching until we're ready to do the mechanics of the release)

Do we have backports ready for this?

Do we have backports ready for this?

Yesterday I went through and checked that all landed patches in MW-core have corresponding entries in RELEASE-NOTES-1.32. There aren't any tarball extension backports AFAICS: https://gerrit.wikimedia.org/r/q/branch:REL1_32+is:merged

Any chance https://gerrit.wikimedia.org/r/c/mediawiki/core/+/472746 could be backported in time? It is not a simple cherry pick (maybe because of the release notes?).

Any chance https://gerrit.wikimedia.org/r/c/mediawiki/core/+/472746 could be backported in time? It is not a simple cherry pick (maybe because of the release notes?).

Done by both Reedy and me into https://gerrit.wikimedia.org/r/c/mediawiki/core/+/489087 with removal of notes in https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/489095.

Can we bundle the planned security release with this?

Change 490265 had a related patch set uploaded (by Jforrester; owner: 20after4):
[mediawiki/core@REL1_32] Bump version to 1.32.1

https://gerrit.wikimedia.org/r/490265

Change 490265 had a related patch set uploaded (by 20after4; owner: 20after4):
[mediawiki/core@REL1_32] Bump version to 1.32.1

https://gerrit.wikimedia.org/r/490265

Change 490265 merged by jenkins-bot:
[mediawiki/core@REL1_32] Bump version to 1.32.1

https://gerrit.wikimedia.org/r/490265

So....who's doing the release? What's happening exactly?

@Legoktm: I can do it if nobody else wants to ;)

greg@x1  ~/Downloads % gpg --fetch-keys "https://www.mediawiki.org/keys/keys.txt"
gpg: requesting key from 'https://www.mediawiki.org/keys/keys.txt'
gpg: key 75682B08E8A3FEC4: public key "Tim Starling <tstarling@wikimedia.org>" imported
gpg: key C119E1A64D70938E: 9 signatures not checked due to missing keys
gpg: key C119E1A64D70938E: public key "Brion Vibber <brion@pobox.com>" imported
gpg: key 82403E59F9F8CD79: public key "Tim Starling <tstarling@wikimedia.org>" imported
gpg: key 9B69B3109D3BB7B0: "Sam Reed <reedy@wikimedia.org>" not changed
gpg: key C119E1A64D70938E: 9 signatures not checked due to missing keys
gpg: key C119E1A64D70938E: "Brion Vibber <brion@pobox.com>" not changed
gpg: key 9B69B3109D3BB7B0: "Sam Reed <reedy@wikimedia.org>" not changed
gpg: key 72BC1C5D23107F8A: "Chad Horohoe (Alternatve personal e-mail - slightly less childish than my original) <chad@anyonecanedit.org>" not changed
gpg: key F6DAD285018FAC02: "Tyler Cipriani <tyler@tylercipriani.com>" not changed
gpg: key 361F943B15C08DD4: "Brian Wolff (Bawolff) <bawolff@gmail.com>" not changed
gpg: key 131910E01605D9AA: "Mukunda Modell (WMF) <mmodell@wikimedia.org>" 6 new signatures
gpg: key 131910E01605D9AA: "Mukunda Modell (WMF) <mmodell@wikimedia.org>" 3 new subkeys
gpg: Total number processed: 10
gpg:               imported: 3
gpg:              unchanged: 6
gpg:            new subkeys: 3
gpg:         new signatures: 6
gpg: no ultimately trusted keys found
greg@x1  ~/Downloads % gpg --verify mediawiki-core-1.32.1.tar.gz.sig
gpg: assuming signed data in 'mediawiki-core-1.32.1.tar.gz'
gpg: Signature made Wed 20 Feb 2019 05:59:39 AM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Good signature from "Mukunda Modell (WMF) <mmodell@wikimedia.org>" [unknown]
gpg:                 aka "[jpeg image of size 2928]" [unknown]
gpg:                 aka "Mukunda Modell <twentyafterfour@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C83A 8E4D 3C8F EB7C 8A3A  1998 1319 10E0 1605 D9AA
     Subkey fingerprint: D7B8 437B E5A2 D3FC 8D90  5FED 60AE 06D4 875B E862
greg@x1  ~/Downloads % gpg --verify mediawiki-1.32.1.tar.gz.sig 
gpg: assuming signed data in 'mediawiki-1.32.1.tar.gz'
gpg: Signature made Wed 20 Feb 2019 05:59:40 AM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Good signature from "Mukunda Modell (WMF) <mmodell@wikimedia.org>" [unknown]
gpg:                 aka "[jpeg image of size 2928]" [unknown]
gpg:                 aka "Mukunda Modell <twentyafterfour@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C83A 8E4D 3C8F EB7C 8A3A  1998 1319 10E0 1605 D9AA
     Subkey fingerprint: D7B8 437B E5A2 D3FC 8D90  5FED 60AE 06D4 875B E862
greg@x1  ~/Downloads % gpg --verify mediawiki-1.32.1.patch.gz.sig 
gpg: assuming signed data in 'mediawiki-1.32.1.patch.gz'
gpg: Signature made Wed 20 Feb 2019 05:59:41 AM PST
gpg:                using RSA key D7B8437BE5A2D3FC8D905FED60AE06D4875BE862
gpg: Good signature from "Mukunda Modell (WMF) <mmodell@wikimedia.org>" [unknown]
gpg:                 aka "[jpeg image of size 2928]" [unknown]
gpg:                 aka "Mukunda Modell <twentyafterfour@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C83A 8E4D 3C8F EB7C 8A3A  1998 1319 10E0 1605 D9AA
     Subkey fingerprint: D7B8 437B E5A2 D3FC 8D90  5FED 60AE 06D4 875B E862

I guess I should announce the release? Seems like everything is in order.

Can we bundle the planned security release with this?

Did that ^ happen?

Did that ^ happen?

I'm not aware of any security patches that landed in 1.32.1 but I haven't announced the release yet if we want to rebuild the tarballs it's fine with me.

I still haven't announced this release. I've been overwhelmed with phabricator work and that doesn't seem to be easing up much this week.

Read the previous comment again.

The tarballs have already been uploaded, we should just release them and plan to do the security release in a week or two. I'll help work on that.

this release was never announced. Should I just announce it now?

Yes, I think it should be announced.

Are we going to announce it? :)

We need to get T205041 done soon, so this has some affect on that too

Ok I will send the following to the appropriate mailing lists:

Although the archives have been available for quite some time, this minor patch release was never properly announced. So without further ado, I'd like to announce the availability of MediaWiki 1.32.1, below you will find links to download and verify this release:

**********************************************************************
Download:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.1.tar.gz

Patch to previous version (1.32.0):
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-core-1.32.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.32/mediawiki-1.32.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

Needs the git tags pushing too :)

Needs the git tags pushing too :)

git submodule foreachgit push origin 1.32.1Done