Page MenuHomePhabricator

Security Readiness Review For Extension:NearbyPages
Open, MediumPublic

Description

We would like to replace the existing MobileFrontend implementation with Nearby.

Project Information

Description of the tool/project:

Allows display of pages near any given location.

Description of how the tool will be used at WMF:

Will replace the existing Nearby page https://en.wikipedia.org/wiki/Special:Nearby packaged with MobileFrontend.

Dependencies

None. Only mediawiki core.

Has this project been reviewed before?

No

Working test environment

There are two modes to test planned for use in production:

en.wikipedia.org
(default no LocalSettings.php changes needed)

wikidata.org

# Note that in production CORs requests will not be made - they will go through /w/api.php - this is just to aid testing.
$wgNearbyPagesUrl = "https://www.wikidata.org/w/api.php";
$wgNearbyPagesWikidataCompatibility = true;

Post-deployment

Readers web

Event Timeline

Jdlrobson renamed this task from Security review of Extension:NearbyPages to Security Readiness Review For Extension:NearbyPages.Dec 3 2020, 4:26 PM
Jdlrobson updated the task description. (Show Details)
sbassett changed the task status from Open to Stalled.Dec 7 2020, 4:36 PM
sbassett triaged this task as Lowest priority.
sbassett moved this task from Incoming to Back Orders on the secscrum board.
sbassett added a subscriber: sbassett.

Per @Aklapper's comment above, let us know when this is actually ready and the review template has been completed and we can work to get it scheduled. Thanks.

@sbassett what's missing from this task? I copied over the template to the description here but I did it manually so I might be missing something crucial.
This is ready for review now.

@sbassett what's missing from this task? I copied over the template to the description here but I did it manually so I might be missing something crucial.
This is ready for review now.

Ok, I see it now, thanks. We'll try to get this scheduled for next quarter.

sbassett changed the task status from Stalled to Open.Dec 7 2020, 4:56 PM
sbassett raised the priority of this task from Lowest to Medium.

Hi @Jdlrobson - we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter, and will do our best to meet your target deployment date: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience as we work through this, and please feel free to reach out at any time!

Just wanted to check in on this one given my target deployment date has passed. No urgency from my side, but I'd like to have a clearer idea on when I can expect to schedule this work.

Just wanted to check in on this one given my target deployment date has passed. No urgency from my side, but I'd like to have a clearer idea on when I can expect to schedule this work.

Hey @Jdlrobson - apologies for the delay. We have our appsec scrum this Wednesday and should be able to provide more details at that time. I will note that part of the delay for this review is that we may end up outsourcing it to one of our security vendors for completion. Again, we should have more details about this after our Wednesday scrum. Thank you for your patience.

Apologies for the lack of updates @Jdlrobson - we do have a vendor lined up to complete this and will be in touch as they move forward. Thank you for your patience.

Thanks for the update! FYI I am off for a week on vacation starting tomorrow.