Page MenuHomePhabricator
Create Task
Maniphest T297846

Add support for package versioning
Open, Needs TriagePublic
Actions

Description

We need a way for MediaWiki to know/display the "package version" which may be different from MW_VERSION.

In the case of the 1.35.5 release, the security fixes were backported into the 1.35.4 Debian packages, but MW_VERSION wasn't bumped as it is not 1.35.5 as we know it

Debian is using 1:1.35.4-1+deb11u2.

It would be useful if we could allow packages to set a version somewhere, and if it exists, use that to override the version display on Special:Version, the siteinfo API etc to prevent false positive security reports that an installation may be vulnerable to know/open/fixed exploits.

We can't just use the Debian version in MW_VERSION as it is not valid semver.

Related Objects

Event Timeline

Reedy created this task.Dec 15 2021, 10:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 15 2021, 10:07 PM
Reedy updated the task description. (Show Details)Dec 15 2021, 10:07 PM
Legoktm awarded a token.Dec 15 2021, 10:09 PM
Legoktm added a comment.Dec 16 2021, 12:53 AM

Since we'll end up outputting this via the API, it would be nice we could also use it to expose a bit more info too...maybe inside PlatformSettings.php:

define( 'MW_PACKAGED', [ 'version' => '1:1.35.4-1+deb11u2', 'distributor' => 'Debian' ] );

For Docker-Hub-MediaWiki it could be:

define( 'MW_PACKAGED', [ 'distributor' => 'Docker Hub official-image' ] );

because it only uses exact released versions.

Ideally this would be placed in PlatformSettings.php, and then Special:Version / API meta=siteinfo can look for the constant if it's defined, using whatever fields are present.

Legoktm added a comment.Dec 22 2021, 8:30 PM

Related is T200375: Implement Pingback v2, where we wanted to track the distro source, e.g. tarball, git, debian...probably should consider that too.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL