Page MenuHomePhabricator
Create Task
Maniphest T349

Security update planning re Composer managed libraries for use on WMF cluster
Closed, ResolvedPublic
Actions

Description

From the last RfC meeting on 13 August 2014:

21:22:08 <sumanah> csteipp: Followup from 23 July: have we done security update planning re Composer managed libraries for use on WMF cluster?
21:22:09 <AndyRussG> :)
21:22:14 <sumanah> bd808|BUFFER:
21:22:33 <csteipp> Not really?
21:23:09 <csteipp> I know bd808|BUFFER is sponsoring the monolog bit, so he's the person to watch for updates, and will delegate someone else if when he's no longer able to
21:23:30 <csteipp> But the process hasn't been documented anywhere that I'm aware of
21:23:46 <sumanah> "Look into https://security.sensiolabs.org/check and https://github.com/sensiolabs/security-advisories for vulnerability tracking" - can we assign this to Bryan as well?
21:24:46 <csteipp> Right, I was on vacation for that meeting... no wonder it didn't look familiar. That sensiolabs thing looks interesting.
21:25:41 <csteipp> I'll check with Bryan when he gets back and see if he's set it up anywhere.
21:26:05 <sumanah> #action csteipp to check with Bryan re Composer managed libraries for use on WMF cluster security planning

Details

Reference
fl534

Related Objects
Search...

Event Timeline

flimport raised the priority of this task from to Medium.Sep 12 2014, 1:45 AM
flimport added a project: Architecture.
flimport set Reference to fl534.
Qgil moved this task from Inbox to External on the Architecture board.Oct 1 2014, 7:11 AM
flimport added a subscriber: bd808.Oct 3 2014, 3:00 PM
flimport assigned this task to csteipp.Oct 6 2014, 8:00 PM
flimport added a subscriber: awight.Oct 12 2014, 10:00 PM
Qgil edited projects, added TechCom-RFC; removed Architecture.Oct 22 2014, 8:45 PM
csteipp added a comment.Oct 22 2014, 9:37 PM

Some discussion on this recently: https://bugzilla.wikimedia.org/show_bug.cgi?id=72193 (I'm not sure where that is in phabricator yet).

Legoktm added a project: Librarization.Oct 22 2014, 9:38 PM
Legoktm set Security to None.
bd808 added a comment.Oct 26 2014, 10:24 PM

The vulnerability database has been released into the public domain and transferred to https://github.com/FriendsOfPHP/security-advisories. See http://fabien.potencier.org/article/74/the-php-security-advisories-database for more details.

tstarling removed a project: TechCom-RFC.Nov 20 2014, 5:30 AM
bd808 raised the priority of this task from Medium to High.Dec 24 2014, 6:08 PM
bd808 added a subtask: T74193: Have a check for reported security issues in dependencies.
Legoktm closed subtask T74193: Have a check for reported security issues in dependencies as Resolved.Feb 27 2015, 6:44 AM
dpatrick subscribed.Nov 29 2016, 8:20 PM

Can this be closed?

bd808 added a comment.Nov 29 2016, 9:10 PM
In T349#2832521, @dpatrick wrote:

Can this be closed?

Probably. The checks should be handled automatically by the https://integration.wikimedia.org/ci/job/mediawiki-vendor-composer-security/ Jenkins job which passes the composer.lock file from mediawiki/vendor.git to https://security.sensiolabs.org/check_lock. That job is setup to email security-team@wikimedia.org when it fails.

Legoktm closed this task as Resolved.Nov 29 2016, 11:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits