This task is part of a project to establish a formal review process and set of standards for Wikimedia technical documentation. For more information, visit the project page on mediawiki.org
Boldly adding Security-Team per my last comment, as I wonder 1) if there is agreement on what I wrote, and 2) if there would be capacity on the Security team to go through the training/tutorial/"Best Practices" pages (in my second sub bullet point under "subpages take") to review and fix things (as I lack knowledge myself).
Hey @Aklapper - this isn't really prioritized work for the Security-Team at the moment, but we'll have a chat about it tomorrow at our appsec team meeting.
Hey @Aklapper - the AppSec folks (@Mstyles, @mmartorana, @Reedy, @sbassett) took a look at this at our team meeting. Some comments follow below:
Yes, this seems appropriate, thanks.
- Subpages take:
- Would like to know from Security-Team if the draft at mw:Security_for_developers/SDLC can be deleted nowadays. Maybe it's superseded by mw:Security_for_developers/Architecture? If not, who would be the page audience and who to realistically undraft it?
@Reedy just deleted the SDLC page - it was never used by any recent version of the Security-Team AFAIK. The Architecture page seems ok, at a glance. There's still some relevant information there, but like a lot of these sub-pages, it hasn't really been meaningfully updated in several years.
- Looking at 2013's obsolete mw:Security_for_developers/Training, the "session" that I "must watch" says "Permission Denied". Maybe that is c:File:MediaWiki_Security.ogv now but I am not sure. Some content of the linked slides at c:File:TechDays2012-SecureCoding.pdf seems to be present in mw:Security_for_developers/Tutorial, some content under "Best Practices" (but not all content) seems to be either under mw:Security_for_developers/Tutorial#Media_Wiki_Secure_Coding_Checklist_4 [sic!] or maybe mw:Security_checklist_for_developers (I guess Security-Team folks may want to double-check).
Security_for_developers/Training has now been redirected per the item below.
- IMHO 2013's obsolete page mw:Security_for_developers/Training should be deleted by redirecting it to mw:Security_for_developers/Tutorial.
Security_for_developers/Training is now a #REDIRECT to Security_for_developers/Tutorial.
- IMHO section mw:Security_for_developers/Tutorial#Media_Wiki_Secure_Coding_Checklist_4 [sic!] should be removed, by merging it into / linking that section to mw:Security_checklist_for_developers instead.
Done.
Whou, thanks a lot! (I didn't expect the team to clean up themselves but only hoped for feedback - highly appreciated!)
Alright, looks like we could start the content review of the actual page already.
Heh, diving deeper, I only now realized that https://www.mediawiki.org/wiki/Wikimedia_Security_Team/SDLC might be a duplicate of that. ^
And I wonder if https://www.mediawiki.org/wiki/Security/Reference/Security_for_libraries should be linked from anywhere (or maybe just merged into some other page).
And if https://www.mediawiki.org/wiki/Security/Training should link to https://www.mediawiki.org/wiki/Security_for_developers/Tutorial ?
(For the records, I also made some followup edits in https://www.mediawiki.org/w/index.php?title=Security%2FTraining&type=revision&diff=5050957&oldid=4766023 and https://www.mediawiki.org/w/index.php?title=Security_for_developers&type=revision&diff=5050956&oldid=5050827 )
I think this page can also just be deleted. It serves no purpose for the current Security-Team.
And I wonder if https://www.mediawiki.org/wiki/Security/Reference/Security_for_libraries should be linked from anywhere (or maybe just merged into some other page).
mw:Security/Reference/Security_for_libraries is likely superseded by mw:Wikimedia_Security_Team/Third_Party_Code_Review_Checklist, which is what the current Security-Team uses as a baseline for any third party/vendor code. So this can likely become a redirect.
And if https://www.mediawiki.org/wiki/Security/Training should link to https://www.mediawiki.org/wiki/Security_for_developers/Tutorial?
mw:Security/Training should probably just be re-titled as Training_Resources or something along those lines, indicating that's it really just a collection of links and other resources for people interested in security-related training. I don't think it probably belongs on mw:Security_for_developers/Tutorial as that page is more about very specific coding examples and is already fairly lengthy.
(For the records, I also made some followup edits in https://www.mediawiki.org/w/index.php?title=Security%2FTraining&type=revision&diff=5050957&oldid=4766023 and https://www.mediawiki.org/w/index.php?title=Security_for_developers&type=revision&diff=5050956&oldid=5050827 )
Looks good, thanks!