Page MenuHomePhabricator

Nuke Extension: Code Stewardship Review
Open, MediumPublic



The Nuke extension is an anti-abuse tool that is used in the recovery efforts post abuse incident. It currently lacks Code Stewardship and recently surfaced as part of Task T212690.

Number, severity, and age of known and confirmed security issues


Was it a cause of production outages or incidents? List them.


Does it have sufficient hardware resources for now and the near future (to take into account expected usage growth)?


Is it a frequent cause of monitoring alerts that need action, and are they addressed timely and appropriately?

Yes as of late. It's recently been at the root on DBQueryTimeoutError on Wikidata

When it was first deployed to Wikimedia production


Usage statistics based on audience(s) served

only used by sysops as part of abuse cleanup

Changes committed in last 1, 3, 6, and 12 months

Reliance on outdated platforms (e.g. operating systems)


Number of developers who committed code in the last 1, 3, 6, and 12 months

1:0, 3:0, 6:2, 12:2

Number and age of open patches


Number and age of open bugs


Number of known dependencies?


Is there a replacement/alternative for the feature? Is there a plan for a replacement?

Nuke's capabilities could be transferred into other abuse tools, but currently is the only source for its capabilities.

Submitter's recommendation (what do you propose be done?)

Per a discussion with @Krinkle, it is recommended that this extension remain deployed and found a Code Steward.

Event Timeline

Krinkle updated the task description. (Show Details)

(changed ref to be bare to enable hovercards)

greg triaged this task as Medium priority.Jul 16 2019, 9:30 PM

In theory, Nuke could easily be replaced by an OAuth-backed external tool - no risk of causing errors in production, easy for maintainers to improve without being encumbered by all the things that make MediaWiki development slow. OTOH handing out deletion grants to apps is not completely unheard of but still somewhat scary security-wise.

This comment was removed by DannyS712.

For everyone's info, currently no Code-Stewardship-Reviews are taking place as there is no clear path forward and as this is not prioritized work.
(Entirely personal opinion: I also assume lack of decision authority due to WMF not having a CTO currently. However, discussing this is off-topic for this task.)