Page MenuHomePhabricator
Create Task
Maniphest T316245

🌶️ Add `swaggest/json-diff` library as a Wikibase dependency
Closed, ResolvedPublic
Actions

Description

  • Add the library as a dependency to extensions/Wikibase/composer.json

Library code on github: https://github.com/swaggest/json-diff

Details

SubjectRepoBranchLines +/-
Add experimental composer apitests job to Wikibaseintegration/configmaster+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Ollie.Shotton_WMDE created this task.Aug 25 2022, 4:29 PM
Ollie.Shotton_WMDE assigned this task to WMDE-leszek.Aug 26 2022, 8:36 AM
Ollie.Shotton_WMDE moved this task from To Do to Doing on the Wikibase Product Platform (v1) (Sprint 12) board.
gerritbot added a comment.Aug 26 2022, 8:50 AM

Change 826548 had a related patch set uploaded (by Ollie Shotton; author: Ollie Shotton):

[mediawiki/vendor@master] Add swaggest/json-diff:3.8.3 for Wikibase REST API

https://gerrit.wikimedia.org/r/826548

gerritbot added a project: Patch-For-Review.Aug 26 2022, 8:50 AM
Ollie.Shotton_WMDE updated the task description. (Show Details)Aug 26 2022, 8:52 AM
WMDE-leszek added subscribers: sbassett, Reedy.Aug 26 2022, 8:57 AM

Hello @Reedy @sbassett, maybe you could advise here. Please also direct our questions to other WMF Security staff member if that'd be more accurate.

I wonder how should we go about adding the said library added to mediawiki/vendor and shipped with Mediawiki to WMF servers. I admit I do not fully understand how has the T192453 concluded. The External libraries page does not mention the Third Party Code Review Checklist. How should we proceed with getting this library approved for WMF environments? Should I open the security review request ticket? Or is there some streamlined procedure for the third party libraries?

FWIW, I have run local-php-security-checker and snyk's php vulnerability check using your own php-security-tools over the library and no issues were reported.

Thanks

WMDE-leszek updated the task description. (Show Details)Aug 26 2022, 8:57 AM
gerritbot added a comment.Aug 26 2022, 2:09 PM

Change 826874 had a related patch set uploaded (by Jakob; author: Jakob):

[mediawiki/extensions/Wikibase@master] REST: Add JsonDiffStatementPatcher

https://gerrit.wikimedia.org/r/826874

sbassett added a comment.EditedAug 26 2022, 4:03 PM

Hey @WMDE-leszek - I think the result of T192453 was to just rely upon the third party checklist for now as a basic policy for security-reviewing vendor code. While that document is likely already a bit out-of-date, it should still serve as a good starting point. The Security-Team is happy to perform due-diligence reviews of new/significantly updated third-party packages and libraries intended for production deployment. You can submit a review request via our standard appsec review form, which will then get prioritized (per our appsec SOP) at the beginning of each quarter. I'll also plan to update the External libraries page with some clarifying information soon.

WMDE-leszek added a comment.Aug 29 2022, 12:36 PM

thanks @sbassett . Request opened as https://phabricator.wikimedia.org/T316523

gerritbot added a comment.Aug 31 2022, 11:18 AM

Change 828501 had a related patch set uploaded (by Jakob; author: Jakob):

[integration/config@master] Add experimental composer apitests job to Wikibase

https://gerrit.wikimedia.org/r/828501

gerritbot added a comment.Aug 31 2022, 1:26 PM

Change 828501 merged by jenkins-bot:

[integration/config@master] Add experimental composer apitests job to Wikibase

https://gerrit.wikimedia.org/r/828501

WMDE-leszek updated the task description. (Show Details)Aug 31 2022, 7:28 PM

adding the library to be published with mediawiki/Wikibase on WMF wikis via "mediawiki/vendor" package is out of scope here, and has been moved to a separate task: T316813 to not block development.

WMDE-leszek removed WMDE-leszek as the assignee of this task.Aug 31 2022, 7:29 PM
WMDE-leszek moved this task from Doing to Peer Review on the Wikibase Product Platform (v1) (Sprint 12) board.
Silvan_WMDE moved this task from Peer Review to Done on the Wikibase Product Platform (v1) (Sprint 12) board.Sep 5 2022, 9:02 AM
WMDE-leszek closed this task as Resolved.Oct 14 2022, 12:51 PM
WMDE-leszek claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL