Page MenuHomePhabricator
Create Task
Maniphest T269517

Security Readiness Review For WatchSubpages
Closed, DeclinedPublic
Actions

Description

Project Information

Description of the tool/project:
WatchSubpages extension allows a user to add all subpages of a page quickly to their watchlist.

Description of how the tool will be used at WMF:
https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2021/Watchlists/Automatically_add_subpages_in_the_watchlist
T237809: Install Extension:WatchSubpages on frwiktionary

Dependencies

List dependencies, or upstream projects that this project relies on.

None

Has this project been reviewed before?

Please link to tasks or wiki pages of previous reviews.

No

Working test environment

Please link or describe setup process for setting up a test environment.

Base MediaWiki install, deploy extension

Post-deployment

Name of team responsible for tool/project after deployment and primary contact.

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledNoneT237809 Install Extension:WatchSubpages on frwiktionary
 DeclinedNoneT269517 Security Readiness Review For WatchSubpages

Event Timeline

Prod created this task.Dec 6 2020, 8:08 AM
Restricted Application added a project: secscrum. · View Herald TranscriptDec 6 2020, 8:08 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Prod mentioned this in T237809: Install Extension:WatchSubpages on frwiktionary.Dec 6 2020, 8:08 AM
Aklapper added a parent task: T237809: Install Extension:WatchSubpages on frwiktionary.Dec 6 2020, 11:38 AM
Pamputt subscribed.Dec 6 2020, 12:38 PM
JEumerus subscribed.Dec 6 2020, 12:44 PM
Reedy subscribed.Dec 6 2020, 3:48 PM

I will note before this is done, it is required to setup phan on the extension. https://www.mediawiki.org/wiki/Continuous_integration/Tutorials/Add_phan_to_a_MediaWiki_extension provides an example of how to do that

I would also note that the required MW version would seemingly be wrong too

	"requires": {
		"MediaWiki": ">= 1.28.0"
	},
		$namespaces = MediaWikiServices::getInstance()->getContentLanguage()->getNamespaces();

getContentLanguage() on MediaWikiServices was not added till 1.32. Though, the result of the expression isn't actually used, so should be removed. But that same snippet of code is used elsewhere, so definitely needs to be >= 1.32.0, if not higher depending on other code (I didn't check it all)

Reedy added a comment.Dec 6 2020, 3:50 PM

Oh, and as part of the Phan part... At least some of the items on https://www.mediawiki.org/wiki/Best_practices_for_extensions need dealing with (such as file structure)

sbassett triaged this task as Low priority.Dec 7 2020, 5:02 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.
sbassett subscribed.

@Prod - just to clarify, is there a WMF sponsoring team for this (deployment + support) or a desired date for production deployment? Thanks.

Prod added a comment.Dec 7 2020, 5:24 PM
In T269517#6673806, @sbassett wrote:

@Prod - just to clarify, is there a WMF sponsoring team for this (deployment + support) or a desired date for production deployment? Thanks.

As far as I know, no there is no sponsoring team, and no planned date. This was requested by the communities linked in the parent task, so I'm trying to follow the process, though it will take some time (no target).

sbassett lowered the priority of this task from Low to Lowest.Dec 7 2020, 5:26 PM
In T269517#6673921, @Prod wrote:

As far as I know, no there is no sponsoring team, and no planned date. This was requested by the communities linked in the parent task, so I'm trying to follow the process, though it will take some time (no target).

Ok, just ping us on this task when it gets closer to production-ready and maybe a desired deployment timeframe comes into view. Typically we'd like at least 30 days notice to turn around a security readiness review.

Kizule subscribed.Dec 7 2020, 6:02 PM
In T269517#6671857, @Reedy wrote:

I will note before this is done, it is required to setup phan on the extension. https://www.mediawiki.org/wiki/Continuous_integration/Tutorials/Add_phan_to_a_MediaWiki_extension provides an example of how to do that

I would also note that the required MW version would seemingly be wrong too

	"requires": {
		"MediaWiki": ">= 1.28.0"
	},
		$namespaces = MediaWikiServices::getInstance()->getContentLanguage()->getNamespaces();

getContentLanguage() on MediaWikiServices was not added till 1.32. Though, the result of the expression isn't actually used, so should be removed. But that same snippet of code is used elsewhere, so definitely needs to be >= 1.32.0, if not higher depending on other code (I didn't check it all)

Extension works correctly in the master branch (MediaWiki 1.36).
BTW, maybe link in sidebar should be added.

Aklapper added a comment.Feb 9 2021, 4:09 PM
In T269517#6671857, Reedy wrote:

it is required to setup phan on the extension.

Done in 11220f0768c3b007d26861b050725acf0479cbec

I would also note that the required MW version would seemingly be wrong too

Bumped to 1.32 in 11220f0768c3b007d26861b050725acf0479cbec

Jcross removed projects: secscrum, Security, Application Security Reviews.Feb 9 2021, 4:59 PM
Jcross subscribed.

Untagging as there has been no activity. Please feel free to re-tag if this moves forward and we will be happy to triage.

sbassett added a comment.Feb 12 2021, 7:56 PM

For a bit more clarification on the comment above and per our security readiness review SOP, the Security-Team would be happy to re-triage this if a few more details can be provided regarding:

  1. A more specific target deployment date.
  2. An intended production support plan, including any potential Foundation team sponsorship.
  3. A working test environment, be that in Mediawiki-Docker, a standalone docker, a cloud installation, patchdemo, perhaps even a beta deployment, etc. While we can in theory just manually install the extension against a local copy of mediawiki, it helps us quite a bit to have an existing development environment with potentially real data to test against.

Thanks.

Aklapper added a project: MediaWiki-extensions-WatchSubpages.Feb 14 2021, 11:59 AM
Aklapper changed the task status from Open to Stalled.Feb 14 2021, 12:17 PM
Aklapper added a project: Application Security Reviews.

This task is a Security Readiness Review request, so this task should be tagged with Application Security Reviews which allows to find all and any security readiness review requests by looking at tasks tagged with Application Security Reviews.
If this task is not an actionable review request, then please set its task status to "stalled". Once this task becomes actionable, please change back the task status to "open".
Thanks.

Restricted Application added a project: secscrum. · View Herald TranscriptFeb 14 2021, 12:17 PM
Aklapper removed a project: secscrum.Feb 14 2021, 12:19 PM
Restricted Application added a project: secscrum. · View Herald TranscriptFeb 14 2021, 12:19 PM
Aklapper added a comment.Feb 14 2021, 12:19 PM

That Herald rule makes no sense.

RhinosF1 subscribed.Feb 14 2021, 12:29 PM
Prod added a comment.Feb 19 2021, 4:42 AM
In T269517#6827289, @sbassett wrote:

For a bit more clarification on the comment above and per our security readiness review SOP, the Security-Team would be happy to re-triage this if a few more details can be provided regarding:

  1. A more specific target deployment date.
  2. An intended production support plan, including any potential Foundation team sponsorship.
  3. A working test environment, be that in Mediawiki-Docker, a standalone docker, a cloud installation, patchdemo, perhaps even a beta deployment, etc. While we can in theory just manually install the extension against a local copy of mediawiki, it helps us quite a bit to have an existing development environment with potentially real data to test against.

Thanks.

I tried following the beta cluster steps, but it seems I need a security review to be completed before I can do that - https://gerrit.wikimedia.org/r/c/mediawiki/tools/release/+/663892
I don't see a way to include my extension into the patchdemo.
My OS doesn't support Docker.

If you're interested to see it in use live, I have a recent version (without the watchlist expiry/dependency injection from 2.4.1) running on my website which I could link (or check my wikipedia userpage for a link).

Please suggest how I can proceed.

Jcross added a comment.EditedMar 1 2021, 6:33 PM

Hi, just a quick reminder that, as mentioned above, we will be unable to prioritize and schedule a security review until we've received an intended production support plan, including any potential Foundation team sponsorship. Please review our SOP for details: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

JBennett closed this task as Declined.Apr 8 2021, 3:55 PM
JBennett subscribed.

The Security team is updating their readiness review SOP to reflect a new change that any request that has aged 90 days without being in a reviewable state will be declined. We do this to help keep our work area current, accurate and reflective of actual work. If the status of your project changes please re-tag us and we will get this work scheduled.

Jcross removed projects: secscrum, Application Security Reviews.Apr 8 2021, 6:33 PM
Aklapper added a project: Application Security Reviews.Apr 9 2021, 7:29 AM

@Jcross: Please do not remove correct metadata as it makes it harder to find tasks. This is and was a security readiness review request (which has been declined). Thanks.

Restricted Application added a project: secscrum. · View Herald TranscriptApr 9 2021, 7:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits