- Project: 2020 Tech blog, to be hosted on Wordpress 5.3.2. For more context, see T242619.
- Responsible Team / Contact: https://www.mediawiki.org/wiki/Wikimedia_Technical_Engagement
- Planned deployment date: February 2020
- Code repositories:
- https://wordpress.org/plugins/code-syntax-block (For highlighting code samples published on the site)
- https://wordpress.org/plugins/jetpack/ (security)
- https://wordpress.org/plugins/akismet/ (anti-spam)
- https://wordpress.org/plugins/classic-editor/ (classic editor -- overrides the new blocks editor)
- https://wordpress.org/plugins/gutenberg/ (@srodlund is not sure if this is available for our installation -- it has to do with the WP Editor redesign)
|Open||srodlund||T242619 Set up Tech blog to share stories from the Wikimedia Technical community|
|Resolved||Security||Reedy||T243398 Security Readiness Review for one skin and five plugins to be used in Tech Blog based on Wordpress|
This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.
Assigning to @chasemp for a quick review of our intake process to make sure our various Phab forms are set up correctly :)
@Aklapper @Legoktm - I think the Security-Team is fine with Security Readiness Reviews and Security Preview requests being public with the discretion to protect if certain vulnerabilities are found during a review within production/live code and possibly even within certain public gerrit/github/etc repos.
The form at https://phabricator.wikimedia.org/maniphest/task/edit/form/79/ sets things to be viewable or all users and has an indicator at the top so that folks filing requests know that upfront. In concert with @sbassett 's notes above I think things are cool. I believe this task itself was filed as a security issue task type, which security readiness reviews are not.
(small edit: concept reviews are private when filing due to the nature of the requests.)
This seems fine to go ahead. I've documented this on officewiki (along with other wordpress based sites), to keep track of what's going on across them. Looking into Wordpress things is hard, as looking into CVE lists for wordpress finds a lot of results...
When we know about this, updating the document on officewiki would be appreciated :)
Gutenberg is available as part of the default https://github.com/automattic/vip-go-mu-plugins bundle on wpvip. We enabled it with this config change -- https://github.com/wpcomvip/wikimedia-techblog/commit/d3e509a77ad045749e10853b7e87e3e3cfc04a61. I will update the table at [[officewiki:WordPress]] to reflect this.