Page MenuHomePhabricator

Upgrade Matomo to latest upstream
Closed, ResolvedPublic

Description

https://matomo.org/changelog/

We shouldn't lag too much from upstream, a lot of security fixes are always added and piwik.wikimedia.org is exposed to the Internet (even if behind CAS).

https://wikitech.wikimedia.org/wiki/Analytics/Systems/Matomo#Upgrade_Matomo

Event Timeline

razzi triaged this task as Medium priority.
razzi edited projects, added Analytics-Clusters; removed Analytics.
Ottomata updated the task description. (Show Details)
Ottomata added a subscriber: BTullis.
BTullis added a subscriber: RKemper.

Today Razzi and I looked into this. We upgraded to Matomo 3.14.1. However, http://debian.matomo.org/ and https://github.com/matomo-org/matomo-package/issues/131. Matomo is not maintaining debian packages anymore beyond 3.14.1.

It'd likely be good to upgrade to Matomo 4+, but that will be more work than we are currently able to put towards it. We'll discuss as a team what to do. Resolving this task for now.

I think that we should open a separate task to fork https://github.com/matomo-org/matomo-package/tree/master/debian in a separate gerrit repo and try to upgrade to 4.x in the future. Upstream often advertises medium to high security vulnerabilities (we are protected by CAS but it is still a UI in our network exposed to the public etc..) and it is really easy to forget about checking Matomo every now and then (I've done it in the past multiple times :D).

It would be a good Debian exercise for @razzi or anybody else that wants to work on packaging, and I can help in case DE is busy with other projects.