Page MenuHomePhabricator

Security Readiness Review For ChessBrowser extension
Closed, DeclinedPublic

Description

NOTE: The Security-Team will strive to set an Estimated Start date after submission

Project Information

Description of the tool/project: ChessBrowser is an extension which takes Portable Game Notation and produces an interactive user interface for viewing and navigating the chess game.

Description of how the tool will be used at WMF: The extension would primarily be used on Wikipedias to enhance encyclopedic coverage of chess games such as the Opera Game and the Evergreen Game. The Hebrew and Russian Wikipedias have a javascript gadget for this purpose, but the English Wikipedia has not done so for performance reasons. Despite this, multiple discussions on the English Wikipedia have shown a desire for a way to interactively view chess games (most recent discussion, 2016 discussion, village pump archive search).

Dependencies
None

Has this project been reviewed before?
No

Working test environment
I have a test environment set up using mediawiki vagrant. Taking any PGN and placing it between <pgn></pgn> tags will invoke the extension and allow testing. A good test example would be copying https://www.mediawiki.org/wiki/Extension:ChessBrowser/Test_games, which includes multiple games with different special behaviours.

Post-deployment
Wugapodes and DannyS712 will be primarily responsible for the code. Kipod has also contributed to the code base and may be interested in post deployment support.

Event Timeline

Jcross triaged this task as Low priority.Feb 6 2020, 6:05 PM
Jcross lowered the priority of this task from Low to Lowest.
Jcross moved this task from Incoming to Back Orders on the Security Readiness Reviews board.

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

@Jcross Thanks for the triage. That is the goal, yes, however no WMF team is sponsoring this project yet so T244075 has been stalled. You should probably triage this task as lowest priority or stall it (depending on your workflow) until I can talk more with WMF stakeholders. Thanks!

Aklapper changed the visibility from "All Users" to "Public (No Login Required)".Feb 6 2020, 6:21 PM
DannyS712 raised the priority of this task from Lowest to Needs Triage.Mar 8 2020, 10:45 AM

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

Hey there.

Which member of Wikimedia staff is sponsoring this work?

Wugapodes reached out to me, and I discussed with this with other members of Community Tech. I think we'd like to help! I'm not sure what all you need from us, but we can commit some time to code review and assisting with deployment.

Requesting retriage per commitment from community tech

DannyS712 added a subscriber: chasemp.

@chasemp this was moved to "Watching" on secscrum - who should be contacted to conduct the review? Security Readiness Reviews says that "Workboard is tracked at secscrum."

@DannyS712 - per our SOP under Submission and Timelines, we'll still need some additional information before we can re-triage and schedule this review, namely the target date for deployment (Community-Tech as the deployment sponsors will need to confirm this) and a branch and commit sha signifying the development stopping point for the review, as we cannot review a moving target. If that's just 3515ac6, that's fine - please feel free to add it to the task description.

sbassett changed the task status from Open to Stalled.May 12 2020, 4:48 PM
sbassett triaged this task as Low priority.

Setting to stalled/low for now until we get a better sense of a realistic deployment timeline, confirmed by Community-Tech per above comment.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

This task is a Security Readiness Review request, so this task should be tagged with Security Readiness Reviews which allows to find all and any security readiness review requests by looking at tasks tagged with Security Readiness Reviews.
If this task is not an actionable review request, then please set its task status to "stalled". Once this task becomes actionable, please change back the task status to "open".
Thanks.

That Herald rule makes no sense.

@Jcross, I am volunteering to be the deployment sponsor for this extension for the Beta cluster. I'm not currently a WMF staff member, but I am a code deployer. I have also done an initial review of this extension at T244075#6981581 and believe it poses very low risk.

@ori We will discuss at our next AppSec scrum and provide an update next week. Thanks!

Hey @ori -

Thank you for doing this work, we appreciate your efforts in trying to get this extension to production. Unfortunately, the Security team is unable to assign a risk rating based upon a review not performed by a member of the Security team or an approved vendor.

Current deployment policy states that a formal security review is not a hard blocker for beta deployment, but we would ask that a sponsoring team and/or manager at the Foundation be willing to accept at least a medium risk for the deployment of the ChessBrowser extension at this time. Please note that while the Security team would like to accommodate this review request, we likely cannot accept it for this quarter (ending July 1st, 2021) and it would remain a lower priority given our current security review SOP prioritization framework.

Please let us know if there is a sponsoring team and/or manager willing to accept at least a medium risk for deployment of this extension. Once we hear from you we will move ChessBrowser forward with our regular scheduling and prioritization process. Thank you!

@Jcross, thank you for taking up and considering this request — I appreciate it. I think we can ask around for a team to sponsor this project, but I want to make sure I understand what exactly we'd be asking for. What, practically speaking, does it mean for a team/manager to "accept at least a medium risk for deployment of this extension"?

If there's no hard-and-fast definition, here's what I propose:

The team and/or manager agree to:

  • Code-review wmf-config changes that enable the extension or alter its configuration.
  • Be on-hand for troubleshooting during the actual deployment to Beta.
  • If severe bugs are discovered, ensure that the extension is disabled.

I am deliberately leaving out any mention of the sponsoring team being on the hook to actually fix bugs, since I think that isn't necessary, would kill any chance of us finding a sponsor. I think I and the extension's authors can address bugs. If severe defects are discovered and we're unresponsive the sponsor would simply disable the extension.

Finally, the permission to go ahead with enabling this extension (if granted) would be understood to apply only to the Beta cluster and does not extend to prod wikis.

How does that sound?

Thanks, @ori . These assumptions sound correct to us and make a beta deployment for this extension low risk. While the Security Team is not in the business of giving thumbs up/thumbs down approvals, low risk is automatically accepted by the Foundation thus unblocking beta deployment. I hope this is helpful and helps you to move forward with the project.

Its now sounding like maybe you don't need a sponsoring team for beta deployment, but at any rate we at Community-Tech have discussed this project again and are happy to help see it through production, including listing us as the code steward if necessary. Some of us have done a cursory code review and also believe it be low-risk. Let us know if/when you need anything. @dmaza is our interim engineering manager (and fellow chess player!) if you need manager endorsement.

sbassett closed this task as Resolved.EditedApr 27 2021, 3:59 PM
sbassett claimed this task.
sbassett moved this task from Back Orders to Our Part Is Done on the secscrum board.

Its now sounding like maybe you don't need a sponsoring team for beta deployment, but at any rate we at Community-Tech have discussed this project again and are happy to help see it through production, including listing us as the code steward if necessary. Some of us have done a cursory code review and also believe it be low-risk. Let us know if/when you need anything. @dmaza is our interim engineering manager (and fellow chess player!) if you need manager endorsement.

No, the Security-Team would definitely still prefer a sponsoring WMF team, to be accountable for deployment, maintenance and security issues, should any arise. And to own and accept any risk, since it's likely impossible to have volunteers and community members do that. I've gone ahead and added @dmaza and Community-Tech as the acceptors of a default medium risk for the beta-deployment of the ChessBrowser extension. Should this extension eventually find a path to wikimedia production, we would want to re-open this task and schedule a proper security readiness review.

sbassett changed the task status from Resolved to Declined.Apr 27 2021, 5:52 PM

@sbassett : currently, the beta deployment task, T244075 depends on this task.
iiuc, there is kind of agreement that the extension can be deployed to test wiki, maybe under some conditions.
can you please update the beta task, and clarify if it can progress despite declining this task, and if so, what needs to be done?
maybe it's clear to everyone but me...
peace.

Hey @Kipod - per the latest deployment doc (specifically item 4), while security readiness reviews are recommended for beta deployment, they aren't necessarily a hard blocker as they would be for production deployment. The Security-Team cannot always accommodate every review request (and the desired completion date) we receive, but as long as someone is willing to accept a default risk rating (in this case, Community-Tech) then beta deployment can proceed.