Page MenuHomePhabricator

Release taint-check 2.0.2 and 2.1.0
Open, LowPublic

Description

I checked the remaining patches in the 2.x branch, and determined that we could release a minor 2.0.2 version including:

  1. r507854 - code cleanup
  2. r507934 - code cleanup
  3. r507952 - code cleanup
  4. r507962 - handles ++ and --, pretty easy
  5. r521838 - fixes a crash seen for some MW extensions

I find all of the above to be minor changes, with no real risks. So IMHO we can put them in a 2.0.2 version and start using it for our codebases.

Note that the patch above already have CR+2, though I'd like to delay merging them until we'll have CI back working.

2.1.0

This is what I'd like to include in 2.1.0 (from T227406#5312104):

  1. r507849 - Only touches caused-by lines
  2. r507981 - Handles closures
  3. r507986 - Handles variables used by closures
  4. r508082 - Code cleanup
  5. r508085 - Visits AST_EMPTY, straightforward
  6. r508124 - Explicitly mark as INAPPLICABLE a few node kinds, + visit exit() and clone
  7. r522076 - Just some debug logging
  8. r522140 - Switch back to phpunit for IDEs etc.

And possibly also the fix for T230713, if we get it done before the release.

Event Timeline

Daimona created this task.Jul 7 2019, 2:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2019, 2:34 PM

And also the plan I envisioned for the next releases:

We could make another minor release (2.0.2, or maybe 2.1.0) including the following:

  1. r507849 - Only touches caused-by lines
  2. r507981 - Handles closures
  3. r507986 - Handles variables used by closures
  4. r508082 - Code cleanup
  5. r508085 - Visits AST_EMPTY, straightforward
  6. r508124 - Adds a bunch of new node types, mostly things that don't have taintedness

Commits 3. and 5. already have CR, the other ones don't.

At that point, I'll cherry pick to master and abandon r508091, thus emptying the 2.x branch. Then, it'll be the turn of r521040 (+ any change needed to make the plugin work with newer phan). That change will drop PHP70 support, and thus the next release should IMHO be a 3.0.0. With that change in place, I'll start working on the remaining bugs.

sbassett triaged this task as Low priority.Jul 9 2019, 4:34 PM
Daimona updated the task description. (Show Details)Jul 9 2019, 5:16 PM
Daimona updated the task description. (Show Details)Jul 9 2019, 6:27 PM
Daimona renamed this task from Release taint-check 2.0.1 to Release taint-check 2.0.2 and 2.1.0.Jul 9 2019, 6:36 PM
Daimona updated the task description. (Show Details)

We eventually went for an early 2.0.1 release to fix some issues with integration tests and CI, and get taint-check ready for deployment now. Everything in this task still applies to 2.0.2 (and 2.1.0), so I've updated the task description accordingly.

Daimona updated the task description. (Show Details)Jul 10 2019, 9:38 AM

I've added https://gerrit.wikimedia.org/r/#/c/mediawiki/tools/phan/SecurityCheckPlugin/+/521838/, and it's the only patch which needs CR before the 2.0.2 release.

Version 2.0.2 tagged just now. It includes the 5 patches mentioned in the task description. Next step is 2.1.0 with the 6 patch mentioned in T227406#5312104.

Daimona updated the task description. (Show Details)Jul 11 2019, 12:59 PM
Daimona updated the task description. (Show Details)Jul 11 2019, 4:51 PM
Daimona updated the task description. (Show Details)Jul 12 2019, 9:40 AM
Daimona updated the task description. (Show Details)Jul 12 2019, 12:16 PM
Daimona updated the task description. (Show Details)Jul 12 2019, 3:09 PM

@Daimona - can we call this done? And resolve for now?

@sbassett 2.1.0 is still not released. We could split that part to a separate task, but some of the 8 patches listed in the task description are still not merged.

@Daimona - ah, ok. Yeah, I guess we can leave open for 2.1.0. Thanks.

Daimona updated the task description. (Show Details)Aug 19 2019, 11:22 AM