Per our conversation in #wikimedia-dev today, it has long been assumed that running update.php on the cluster will result in death and destruction. We've never actually tried, and there's talk of trying it out on test2wiki to see what happens, but for now update.php is still considered very much unsafe.
This isn't really documented, though, it's just well-known... except to newcomers. So it'd be nice to add a config var that, if enabled, makes update.php refuse to run. Lest anyone accidentally run update.php and cause a terrible mess. Of course the default behavior should be to allow update.php to be run, because most wikis aren't special like us :D
Version: 1.20.x
Severity: normal