Page MenuHomePhabricator
Create Task
Maniphest T275144

Upgrade Matomo to latest upstream
Closed, ResolvedPublic
Actions

Description

https://matomo.org/changelog/

We shouldn't lag too much from upstream, a lot of security fixes are always added and piwik.wikimedia.org is exposed to the Internet (even if behind CAS).

https://wikitech.wikimedia.org/wiki/Analytics/Systems/Matomo#Upgrade_Matomo

Event Timeline

elukey created this task.Feb 18 2021, 5:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2021, 5:38 PM
razzi claimed this task.Mar 4 2021, 5:41 PM
razzi triaged this task as Medium priority.
razzi edited projects, added Analytics-Clusters; removed Analytics.
Ottomata moved this task from Backlog to Q4 2020/2021 on the Analytics-Clusters board.Mar 9 2021, 5:42 PM
Ottomata reassigned this task from razzi to BTullis.Jul 12 2021, 3:52 PM
BTullis added a project: Analytics-Kanban.Jul 22 2021, 4:19 PM
Ottomata moved this task from Q4 2020/2021 to Q1 2021/2022 on the Analytics-Clusters board.Jul 26 2021, 3:40 PM
Ottomata reassigned this task from BTullis to RKemper.Aug 2 2021, 3:48 PM
Ottomata updated the task description. (Show Details)
Ottomata added a subscriber: BTullis.
odimitrijevic added a project: Data-Engineering.Aug 12 2021, 5:46 PM
odimitrijevic added a project: Data-Engineering-Kanban.Aug 12 2021, 5:53 PM
odimitrijevic moved this task from Incoming (new tickets) to Visualize on the Data-Engineering board.Aug 12 2021, 5:56 PM
BTullis removed RKemper as the assignee of this task.Aug 17 2021, 4:08 PM
BTullis added a subscriber: RKemper.
BTullis claimed this task.Sep 15 2021, 1:26 PM
BTullis moved this task from Next Up to In Progress on the Analytics-Kanban board.
BTullis reassigned this task from BTullis to razzi.Sep 15 2021, 5:23 PM
razzi moved this task from In Progress to Paused on the Analytics-Kanban board.Oct 20 2021, 4:11 PM
Ottomata moved this task from Q1 2021/2022 to Q2 2021/2022 on the Analytics-Clusters board.Oct 25 2021, 3:37 PM
Ottomata closed this task as Resolved.Oct 26 2021, 8:38 PM

Today Razzi and I looked into this. We upgraded to Matomo 3.14.1. However, http://debian.matomo.org/ and https://github.com/matomo-org/matomo-package/issues/131. Matomo is not maintaining debian packages anymore beyond 3.14.1.

It'd likely be good to upgrade to Matomo 4+, but that will be more work than we are currently able to put towards it. We'll discuss as a team what to do. Resolving this task for now.

elukey added a comment.Oct 27 2021, 7:02 AM

I think that we should open a separate task to fork https://github.com/matomo-org/matomo-package/tree/master/debian in a separate gerrit repo and try to upgrade to 4.x in the future. Upstream often advertises medium to high security vulnerabilities (we are protected by CAS but it is still a UI in our network exposed to the public etc..) and it is really easy to forget about checking Matomo every now and then (I've done it in the past multiple times :D).

It would be a good Debian exercise for @razzi or anybody else that wants to work on packaging, and I can help in case DE is busy with other projects.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits