Page MenuHomePhabricator
Create Task
Maniphest T363639

web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support
Closed, ResolvedPublic
Actions

Description

The WebAuthn extension requires web-auth/webauthn-lib ~3.3.12, webauthn-lib 3.* requires symfony/process ^3.0|^4.0|^5.0, and symfony/process is not PHP 8.2+ compatible. (webauthn-lib 4.* doesn't seem to require symfony/process at all.) webauthn-lib 4.0 requires PHP 8.1 though, so this is not fulfillable.

Currently breaking CI for backports (e.g. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WebAuthn/+/1096610 ). Build for PHP7.4 and 8.1 succeeds, but for 8.2 and 8.3 it fails.

NOTE: The upgrade from webauth-lib 3.x to 4.x is a prerequisite for the upgrade of psr/http-message (T397068) and brick/math (T363639#10936872)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Upgrade to web-auth/webauthn-lib ^4.9.2mediawiki/extensions/WebAuthnREL1_43+139 -115
Upgrade to web-auth/webauthn-lib ^4.9.2mediawiki/extensions/WebAuthnmaster+139 -115
Upgrade to web-auth/webauthn-lib ^4.9.2mediawiki/extensions/WebAuthnREL1_44+139 -115
Upgrade web-auth/webauthn-lib and dependencies...mediawiki/vendormaster+46 K -74 K
Zuul: Expand WebAuthn CI disable to all non-master/non-wmf branchesintegration/configmaster+4 -3
Allow web-auth/webauthn-lib ^4.8.0 as well as ~3.3.12 for PHP 8+mediawiki/extensions/WebAuthnREL1_42+1 -1
zuul: Remove WebAuthn from OATHAuth on REL1_XXintegration/configmaster+7 -0
Add symfony/uid and symfony/polyfill-uuidmediawiki/vendormaster+3 K -7
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT376276 PHP 8.4: Implicitly nullable parameter declarations deprecated
 OpenNoneT379587 PHP 8.4: Implicitly nullable parameter declarations deprecated in 3rd party vendor libs
 ResolvedReedyT378424 PHP 8.4: Implicitly nullable parameter declarations deprecated in qrcode vendor libs
 OpenNoneT317255 PHP's getElementsByTagName is slow prior to PHP 8.3
 OpenNoneT358667 Drop PHP 8.2 support from MediaWiki
 OpenNoneT366644 Raise MediaWiki's MariaDB requirement to 10.6
 OpenNoneT366646 Raise Quibble jobs' tested version of MariaDB to 10.6
 ResolvedReedyT389272 MWCallbackStream write method has a differing signature to upstream libraries
 ResolvedReedyT397068 Upgrade psr/http-message to 2.0 or later
 OpenNoneT397070 Upgrade monolog/monolog to 3.9.0 or later
 OpenFomafixT356451 Upgrade psr/log to 3.x
 OpenNoneT405346 Remove okvpn/clock-lts post WMF PHP 8.3 upgrade
 ResolvedNoneT396296 Upgrade symfony/* to PHP 8.1 versions
 DuplicateNoneT397067 Upgrade psr/log to 3.0.2 or later
 ResolvedReedyT405344 Upgrade web-auth/webauthn-lib to >= 5.2.3
 ResolvedKrinkleT358666 Drop PHP 8.1 support from MediaWiki
 ResolvedKrinkleT360995 Migrate Wikimedia production from PHP 8.1 to PHP 8.3
 ResolvedKrinkleT405031 lcobucci/clock needs upgrading for PHP 8.3
 ResolvedTgrT363639 web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support
 ResolvedjnucheT411277 Patchdemo wiki creation fails due to PHP 8.1 not supported by MW
 ResolvedJdforrester-WMFT411372 wikilambda-catalyst-end-to-end broken due to new version of composer after PHP 8.1 -> 8.3 migration
 ResolvedBUG REPORTbd808T411235 Beta cluster scap using php8.1 container; php8.2 is now required

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
pmiazga closed this task as Resolved.Nov 26 2024, 5:47 PM

To summarise - looks like everything works and we don't need to upgrade the library at this moment. I'll be bold and resolve this ticket.
If you notice any problems regarding WebAuthn and PHP8.1 or have a use case when it doesn't work - please let me know and I'll investigate it.

Tgr reopened this task as Open.Dec 3 2024, 9:57 PM

WebAuthn patches are still failing, e.g. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WebAuthn/+/1096610

16:47:57 [25.6MiB/6.79s] Your requirements could not be resolved to an installable set of packages.
16:47:57 [25.6MiB/6.79s] 
16:47:57   Problem 1
16:47:57     - mediawiki/minus-x is locked to version 1.1.3 and an update of this package was not requested.
16:47:57     - Root composer.json requires web-auth/webauthn-lib ~3.3.12 -> satisfiable by web-auth/webauthn-lib[v3.3.12].
16:47:57     - mediawiki/minus-x 1.1.3 requires symfony/console ^3.3.5 || ^4 || ^5 || ^6 || ^7 -> satisfiable by symfony/console[v7.2.0].
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v5.4.47.
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v5.3.2.
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v5.0.11.
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v4.4.44.
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v4.4.26.
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v3.4.47.
16:47:57     - symfony/console v7.2.0 conflicts with symfony/process v3.3.6.
16:47:57     - symfony/process[v4.0.0, v4.0.1, v4.0.2, v4.0.3, v4.0.4, v4.0.5, v4.0.6, v4.0.7, v4.0.8, v4.0.9, v4.0.10, v4.0.11, v4.0.12, v4.0.13, v4.0.14, v4.0.15, v4.1.0, v4.1.1, v4.1.2, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9, v4.1.10, v4.1.11, v4.1.12, v4.2.0, v4.2.1, v4.2.2, v4.2.3, v4.2.4, v4.2.5, v4.2.6, v4.2.7, v4.2.8, v4.2.9, v4.2.10, v4.2.11, v4.2.12, v4.3.0, v4.3.1, v4.3.2, v4.3.3, v4.3.4, v4.3.5, v4.3.6, v4.3.7, v4.3.8, v4.3.9, v4.3.10, v4.3.11, v4.4.0, v4.4.1, v4.4.2, v4.4.3, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9, v4.4.10] require php ^7.1.3 -> your php version (8.2.25) does not satisfy that requirement.
16:47:57     - symfony/process[v5.0.0, v5.0.1, v5.0.2, v5.0.3, v5.0.4, v5.0.5, v5.0.6, v5.0.7, v5.0.8] require php ^7.2.5 -> your php version (8.2.25) does not satisfy that requirement.
16:47:57     - web-auth/webauthn-lib v3.3.12 requires symfony/process ^3.0|^4.0|^5.0 -> satisfiable by symfony/process[v3.0.0, v3.0.1, v3.0.2, v3.0.3, v3.0.4, v3.0.5, v3.0.6, v3.0.7, v3.0.8, v3.0.9, v3.1.0, v3.1.1, v3.1.2, v3.1.3, v3.1.4, v3.1.5, v3.1.6, v3.1.7, v3.1.8, v3.1.9, v3.1.10, v3.2.0, v3.2.1, v3.2.2, v3.2.3, v3.2.4, v3.2.5, v3.2.6, v3.2.7, v3.2.8, v3.2.9, v3.2.10, v3.2.11, v3.2.12, v3.2.13, v3.2.14, v3.3.0, v3.3.1, v3.3.2, v3.3.3, v3.3.4, v3.3.5, v3.3.6, v3.3.7, v3.3.8, v3.3.9, v3.3.10, v3.3.11, v3.3.12, v3.3.13, v3.3.14, v3.3.15, v3.3.16, v3.3.17, v3.3.18, v3.4.0, v3.4.1, v3.4.2, v3.4.3, v3.4.4, v3.4.5, v3.4.6, v3.4.7, v3.4.8, v3.4.9, v3.4.10, v3.4.11, v3.4.12, v3.4.13, v3.4.14, v3.4.15, v3.4.16, v3.4.17, v3.4.18, v3.4.19, v3.4.20, v3.4.21, v3.4.22, v3.4.23, v3.4.24, v3.4.25, v3.4.26, v3.4.27, v3.4.28, v3.4.29, v3.4.30, v3.4.31, v3.4.32, v3.4.33, v3.4.34, v3.4.35, v3.4.36, v3.4.37, v3.4.38, v3.4.39, v3.4.40, v3.4.41, v3.4.42, v3.4.43, v3.4.44, v3.4.45, v3.4.46, v3.4.47, v4.0.0, v4.0.1, v4.0.2, v4.0.3, v4.0.4, v4.0.5, v4.0.6, v4.0.7, v4.0.8, v4.0.9, v4.0.10, v4.0.11, v4.0.12, v4.0.13, v4.0.14, v4.0.15, v4.1.0, v4.1.1, v4.1.2, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9, v4.1.10, v4.1.11, v4.1.12, v4.2.0, v4.2.1, v4.2.2, v4.2.3, v4.2.4, v4.2.5, v4.2.6, v4.2.7, v4.2.8, v4.2.9, v4.2.10, v4.2.11, v4.2.12, v4.3.0, v4.3.1, v4.3.2, v4.3.3, v4.3.4, v4.3.5, v4.3.6, v4.3.7, v4.3.8, v4.3.9, v4.3.10, v4.3.11, v4.4.0, v4.4.1, v4.4.2, v4.4.3, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.20, v4.4.22, v4.4.25, v4.4.26, v4.4.27, v4.4.30, v4.4.34, v4.4.35, v4.4.36, v4.4.37, v4.4.40, v4.4.41, v4.4.44, v5.0.0, v5.0.1, v5.0.2, v5.0.3, v5.0.4, v5.0.5, v5.0.6, v5.0.7, v5.0.8, v5.0.9, v5.0.10, v5.0.11, v5.1.0, v5.1.1, v5.1.2, v5.1.3, v5.1.4, v5.1.5, v5.1.6, v5.1.7, v5.1.8, v5.1.9, v5.1.10, v5.1.11, v5.2.0, v5.2.1, v5.2.2, v5.2.3, v5.2.4, v5.2.7, v5.2.10, v5.2.11, v5.2.12, v5.3.0, v5.3.2, v5.3.4, v5.3.7, v5.3.11, v5.3.12, v5.3.13, v5.3.14, v5.4.0, v5.4.2, v5.4.3, v5.4.5, v5.4.7, v5.4.8, v5.4.11, v5.4.19, v5.4.21, v5.4.22, v5.4.23, v5.4.24, v5.4.26, v5.4.28, v5.4.34, v5.4.35, v5.4.36, v5.4.39, v5.4.40, v5.4.44, v5.4.45, v5.4.46, v5.4.47].

Once the problem is fixed, we should revert rCICF1eb9f9b0310f: zuul: Remove WebAuthn from OATHAuth on REL1_XX before closing this task.

pmiazga added a comment.EditedDec 4 2024, 3:21 PM

So the problem is with PHP8.2 and upwards. Not with our target PHP8.1 and PHP7.4 ( per linked failing job:

https://integration.wikimedia.org/ci/job/quibble-composer-mysql-php81-noselenium/6671/console : SUCCESS in 13m 17s
https://integration.wikimedia.org/ci/job/quibble-composer-mysql-php81-selenium/5107/console : SUCCESS in 10m 14s
https://integration.wikimedia.org/ci/job/quibble-composer-mysql-php82-noselenium/5815/console : FAILURE in 1m 38s
https://integration.wikimedia.org/ci/job/quibble-composer-mysql-php83-noselenium/4115/console : FAILURE in 1m 15s

Let me update ticket.

pmiazga renamed this task from web-auth/webauthn-lib must be upgraded to 4+ for PHP 8 support to web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support.Dec 4 2024, 3:22 PM
pmiazga updated the task description. (Show Details)Dec 4 2024, 3:24 PM
pmiazga edited projects, added PHP 8.3 support; removed PHP 8.1 support, PHP 8.0 support.
pmiazga added a project: PHP 8.4 support.
Tgr edited parent tasks, added: T360995: Migrate Wikimedia production from PHP 8.1 to PHP 8.3; removed: T328922: Drop PHP 8.0 support from MediaWiki.Dec 18 2024, 3:13 PM
pmiazga removed pmiazga as the assignee of this task.Jan 20 2025, 3:24 PM
pmiazga moved this task from In progress (DO NOT USE) to Needs refinement on the MediaWiki-Platform-Team board.
pmiazga subscribed.

Moving it back to soon. Let's wait for prod to catch up with PHP8.1 and then we can upgrade the lib. It would be much easier to support just 8.x and drop the PHP7.4 support.

Also, unassigning myself as I'm not actively working on it.

Reedy moved this task from Backlog to Wikimedia production on the PHP 8.4 support board.Jan 25 2025, 12:12 AM
Jdforrester-WMF mentioned this in T386108: Make PHP 8.4 voting on development (master) branch of MW ecosystem (core, vendor, extensions, skins, libraries) in CI.Feb 11 2025, 3:32 PM
Reedy moved this task from Backlog to Wikimedia production on the PHP 8.3 support board.Feb 21 2025, 10:52 PM
Reedy mentioned this in T379587: PHP 8.4: Implicitly nullable parameter declarations deprecated in 3rd party vendor libs.Feb 28 2025, 11:02 PM
Reedy added a comment.EditedApr 1 2025, 7:36 PM

This has come back to bite us again, causing T390754: Extensions that pull in WebAuthn for their CI can support PHP 7.4 or PHP 8.2+, but not both (was: quibble-composer-mysql-php8[23] fail since 31/3) due to rCICF8d4fe15c61b3: zuul: Update WikimediaEvents dependencies

Very explicitly, for PHP8.2+ support, even running it in CI, it will need to be upgraded.

taavi added a subtask: T328922: Drop PHP 8.0 support from MediaWiki.Apr 1 2025, 7:42 PM
Tgr moved this task from Needs refinement to Inbox, needs triage on the MediaWiki-Platform-Team board.Apr 1 2025, 8:32 PM
larissagaulia moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Apr 7 2025, 2:37 PM
Tgr added a comment.Apr 7 2025, 9:21 PM

Needs to wait until PHP 7 is gone from Wikimedia production.

pmiazga added a comment.Apr 8 2025, 11:16 AM

As @Tgr said, if we need to support both PHP7 and PHP8 - we will need to support two different library versions (WebAuthn v3, and WebAuthn v4). And this makes things complicated. We're pretty close to migrating away from PHP7 entirely - therefore it would be better to wait and just migrate this extension to newer version of WebAuthN lib. This approach substantially reduces the risk related to running two different major versions of auth library.

BTW, a note - there is a WebAuthn v5 but this requires PHP8.2 and up - therefore we cannot migrate directly to 5.x

Reedy added a comment.EditedApr 8 2025, 11:58 AM

I'm very aware of the complexities. See what happened with https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WebAuthn/+/1024971, and as such, why I gave up.

But not before working on various amounts of supporting changes, such as T373752: Build php-uuid package, and add to WMF production and CI.

We wouldn't be running two versions, in reality. Release branches are already only on PHP 8+ (and have been for aw hile), and most of production, even more so where thus code would be being run. So the migration could be done against REL1_43 (for example), and then cherry picked forward. The code differences between the release branches and master are going to be pretty minimal.

There's some big changes in the libraries anyway. Hopefully there's some backwards compatibility to allow upgrading...

Or even just against master, and not merged. CI is already being run on other PHP versions, and you can ignore the PHP 7.4 failures, for example.

I was pointing out that this will become a high(er) priority in the very near future, potentially blocking other upgrades of libraries etc due to the incompatibilites.

We can get ahead of things, rather than waiting until it becomes a blocker for other tasks, and then starting work.

I suspect Gergo's response was at least in part to the movement on the workboard, as such, it's not necessarily a "next" task.

Tgr added a comment.Apr 8 2025, 3:54 PM
In T363639#10721146, @Reedy wrote:

I suspect Gergo's response was at least in part to the movement on the workboard, as such, it's not necessarily a "next" task.

The comment was meant mostly as a self-reminder as we discussed this at the sprint planning meeting as something to work on right now, but we decided we can't yet.

So the migration could be done against REL1_43 (for example), and then cherry picked forward.

That's fine as long as the migration is just changing a number in composer.json. But we'll be moving up a major version - if that requires significant code changes, I don't think it's good to have that kind of difference between your master and release branches. It can make backporting other changes a lot harder.

Maybe worth doing if otherwise we'd have to put up with CI issues for a long time. But AIUI the last remnants of PHP 7 will be gone from production in a few weeks so waiting for that shouldn't be a big deal?

Jdforrester-WMF mentioned this in T390754: Extensions that pull in WebAuthn for their CI can support PHP 7.4 or PHP 8.2+, but not both (was: quibble-composer-mysql-php8[23] fail since 31/3).Apr 21 2025, 1:11 PM
Krinkle added a subtask: T328921: Drop PHP 7.4 and PHP 8.0 support from MediaWiki.Apr 28 2025, 4:38 PM
Krinkle removed a subtask: T328922: Drop PHP 8.0 support from MediaWiki.
gerritbot added a comment.May 3 2025, 10:46 AM

Change #1024723 abandoned by Reedy:

[mediawiki/extensions/WebAuthn@REL1_42] Allow web-auth/webauthn-lib ^4.8.0 as well as ~3.3.12 for PHP 8+

https://gerrit.wikimedia.org/r/1024723

A_smart_kitten subscribed.May 8 2025, 12:14 PM
gerritbot added a comment.May 8 2025, 12:16 PM

Change #1143550 had a related patch set uploaded (by Jforrester; author: Jforrester):

[integration/config@master] Zuul: Expand WebAuthn CI disable to all non-master/non-wmf branches

https://gerrit.wikimedia.org/r/1143550

gerritbot added a comment.May 8 2025, 12:21 PM

Change #1143550 merged by jenkins-bot:

[integration/config@master] Zuul: Expand WebAuthn CI disable to all non-master/non-wmf branches

https://gerrit.wikimedia.org/r/1143550

Jdforrester-WMF mentioned this in T393670: CheckUser REL1_44 CI blocked with 'Error: Class "Pimple\Container" not found'.May 8 2025, 1:59 PM
Jdforrester-WMF merged a task: T393670: CheckUser REL1_44 CI blocked with 'Error: Class "Pimple\Container" not found'.
Jdforrester-WMF added subscribers: Dreamy_Jazz, kostajh, STran.
Jdforrester-WMF added a comment.Jun 5 2025, 7:11 PM

Now that PHP 7.4 support is dropped, presumably this can move forward?

Jdforrester-WMF closed subtask T328921: Drop PHP 7.4 and PHP 8.0 support from MediaWiki as Resolved.Jun 6 2025, 6:25 PM
Tgr added a comment.Jun 7 2025, 12:08 PM

Is there a deadline for 8.2 support on Wikimedia servers?

Reedy added a comment.Jun 8 2025, 4:29 AM

T360995: Migrate Wikimedia production from PHP 8.1 to PHP 8.3 doesn’t seem to have a date…

Reedy added a parent task: T396296: Upgrade symfony/* to PHP 8.1 versions.Jun 8 2025, 9:36 AM
Reedy mentioned this in T396296: Upgrade symfony/* to PHP 8.1 versions.
Reedy added a comment.EditedJun 8 2025, 9:39 AM

This blocks upgrading symfony stuff (well, primarily symfony/process) in T396296: Upgrade symfony/* to PHP 8.1 versions

Problem 1
  - Root composer.json requires web-auth/webauthn-lib 3.3.12 -> satisfiable by web-auth/webauthn-lib[v3.3.12].
  - web-auth/webauthn-lib v3.3.12 requires symfony/process ^3.0|^4.0|^5.0 -> found symfony/process[v3.0.0, ..., v3.4.47, v4.0.0, ..., v4.4.44, v5.0.0, ..., v5.4.47] but it conflicts with your root composer.json require (6.4.20).
Jdforrester-WMF added a comment.Jun 8 2025, 5:16 PM
In T363639#10893101, @Tgr wrote:

Is there a deadline for 8.2 support on Wikimedia servers?

Originally, the deadline was the end of this month (as this was in the Foundation's annual plan for 24/25), but the delays on the first upgrade mean that that's been delayed. "Soon", certainly.

Jdforrester-WMF removed a subtask: T328921: Drop PHP 7.4 and PHP 8.0 support from MediaWiki.Jun 8 2025, 6:54 PM

Removing the immense blocker task tree for clarity.

Maintenance_bot removed a project: Patch-For-Review.Jun 8 2025, 7:31 PM
matmarex assigned this task to pmiazga.Jun 16 2025, 2:38 PM
matmarex moved this task from Needs refinement to Next (DO NOT USE) on the MediaWiki-Platform-Team board.
gerritbot added a comment.Jun 16 2025, 2:51 PM

Change #1159483 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/vendor@master] Upgrade web-auth/webauthn-lib and dependancies...

https://gerrit.wikimedia.org/r/1159483

gerritbot added a project: Patch-For-Review.Jun 16 2025, 2:51 PM
Reedy added a parent task: T397067: Upgrade psr/log to 3.0.2 or later.Jun 16 2025, 4:09 PM
Reedy added a parent task: T397068: Upgrade psr/http-message to 2.0 or later.Jun 16 2025, 4:11 PM
Krinkle added a parent task: T356451: Upgrade psr/log to 3.x.Jun 18 2025, 3:34 PM
Krinkle added a comment.Jun 23 2025, 3:05 AM
From T397068: Upgrade psr/http-message to 2.0 or later:
…
web-auth/webauthn-lib v3.3.12     requires psr/http-message (^1.0)
…

Upstream web-auth/webauthn-lib removed the psr/http-message direct dependency in v4.2.1. They do still require "psr/http-client": "^1.0" and "psr/http-factory": "^1.0", and those still indirectly depend on psr/http-message, but they already support both 1 || 2 and are those not an issue.

https://github.com/web-auth/webauthn-lib/commit/985ed1a371fbc955851a80a71f10f73c38f60c30

Which means upgrading from webauthn-lib 3.x to 4.x will also unblock T397068: Upgrade psr/http-message to 2.0 or later.

In other words, I've been looking at upgrading brick/math which we have currenly at 0.9, which is EOL with upstream at 0.13 already (previously highlighted in T319432#9810951). We couldn't upgrade this until now because the latest versions of brick/math require PHP 8.0+, and by now require PHP 8.1+.

The good news:

  • brick/math has a very stable API.
  • We don't use brick/math directly.
  • Our dependencies that use it (ramsey/uuid and spomky-labs/cbor-php) all support a wide range of versions, which means it is mostly in our control what version we use.
    • ramsey/uuid: brick/math: ^0.8.8 || ^0.9 || ^0.10 || ^0.11 || ^0.12 || ^0.13
    • spomky-labs/cbor-php: brick/math: ^0.9|^0.10|^0.11|^0.12|^0.13

The bad news:

  • The web-auth/webauthn-lib package, of which we use version 3.x right now, required 1.x or 2.x of spomky-labs/cbor-php which is from 2021 and still required brick/math: ^0.8.15|^0.9.0, thus narrowing us to 0.9.0, which is exactly where we are already.

This means we can't upgrade brick/math until we upgrade webauthn-lib.

Krinkle updated the task description. (Show Details)Jun 23 2025, 3:07 AM
MSantos subscribed.Jun 30 2025, 1:38 PM
In T363639#10893101, @Tgr wrote:

Is there a deadline for 8.2 support on Wikimedia servers?

As part of the APP of FY25-26 there will be another PHP upgrade by the end of Q2. Unless we resolve hard dependencies on PHP 8.4, the next upgrade will be PHP 8.3.

OWresch-WMF moved this task from Next (DO NOT USE) to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Jun 30 2025, 2:26 PM
pmiazga removed pmiazga as the assignee of this task.Jul 24 2025, 1:52 PM
Scott_French subscribed.Jul 24 2025, 4:17 PM
matmarex moved this task from In progress (DO NOT USE) to Inbox, needs triage on the MediaWiki-Platform-Team board.Jul 25 2025, 7:53 AM
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Jul 28 2025, 2:43 PM
JTweed-WMF moved this task from Needs refinement to Next (DO NOT USE) on the MediaWiki-Platform-Team board.
Scott_French mentioned this in T401254: Upgrade mw-debug/next to PHP 8.3.Aug 5 2025, 8:04 PM
Jdforrester-WMF mentioned this in T360995: Migrate Wikimedia production from PHP 8.1 to PHP 8.3.Aug 7 2025, 6:51 AM
MSantos added a project: OKR-Work.Aug 11 2025, 3:33 PM
DAlangi_WMF subscribed.Aug 19 2025, 8:49 PM
Tgr claimed this task.Aug 25 2025, 2:14 PM
Tgr moved this task from Next (DO NOT USE) to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
Tgr added a comment.Aug 31 2025, 6:39 PM

The upgrade docs say

The Metadata Statement embraces the version 3 of the specification. There is no migration tool to convert the MDS from v2 to v3.

AIUI the MDS is basically a web API run by (or on behalf of) the manufacturer of the authenticator device that can be used to validate the claims the device makes about itself. We probably don't use this, and as such, don't need to worry about this change? The docs say

It is mandatory to get the statement from the manufacturer of your authenticators otherwise the Attestation Statement won't be verified and the Attestation Ceremony will fail.

which makes it sound like it's something done automatically by the library, but I think if the library made web requests to an external server, we'd know about that.

Tgr added a comment.Aug 31 2025, 6:56 PM

Per web-auth/webauthn-framework#585 Android SafetyNet support is deprecated in 4.9 and removed in 5.0. Not relevant for this task but we want to go 4.x -> 5.x once the PHP upgrade is done. Not sure if the SafetyNet deprecation is important. A quick Googling says SafetyNet is one of two Android APIs for WebAuthn attestation (the other being Android Keystore); attestation is about establishing the capabilities of the authenticator device (as opposed to assertion, which is verifying the user is logging in with the same device they created the passkey with) so at the very least the change shouldn't affect existing passkeys.

I think the relevant parts of the codebase are here and here (is it normal that those two lists differ?) and neither includes AndroidSafetyNetAttestationStatementSupport so we'll probably be fine?
(Or at least not more broken than we already are - why aren't we including AndroidKeyAttestationStatementSupport for registration? Why aren't we including AppleAttestationStatementSupport at all?)

Tgr mentioned this in T402597: Exploratory testing on PHP 8.3 for MediaWiki Platform Team components.Sep 8 2025, 8:42 PM
hashar mentioned this in T325898: CI failing for BlueSpiceUserSidebar.Sep 15 2025, 8:21 AM
A_smart_kitten mentioned this in T404868: composer merge plugin does not fail when dependency is not satisfied (was: Error: Class "Pimple\Container" not found).Sep 17 2025, 2:38 PM
Reedy added a parent task: T405031: lcobucci/clock needs upgrading for PHP 8.3.Sep 18 2025, 7:18 PM
Reedy mentioned this in T405031: lcobucci/clock needs upgrading for PHP 8.3.Sep 18 2025, 7:21 PM
gerritbot added a comment.Sep 23 2025, 9:02 AM

Change #1159483 merged by jenkins-bot:

[mediawiki/vendor@master] Upgrade web-auth/webauthn-lib and dependencies...

https://gerrit.wikimedia.org/r/1159483

gerritbot added a comment.Sep 23 2025, 9:05 AM

Change #1024971 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Upgrade to web-auth/webauthn-lib ^4.9.2

https://gerrit.wikimedia.org/r/1024971

gerritbot added a comment.Sep 23 2025, 9:13 AM

Change #1190596 had a related patch set uploaded (by Reedy; author: Jforrester):

[mediawiki/extensions/WebAuthn@REL1_44] Upgrade to web-auth/webauthn-lib ^4.9.2

https://gerrit.wikimedia.org/r/1190596

gerritbot added a comment.Sep 23 2025, 9:26 AM

Change #1190610 had a related patch set uploaded (by Reedy; author: Jforrester):

[mediawiki/extensions/WebAuthn@REL1_43] Upgrade to web-auth/webauthn-lib ^4.9.2

https://gerrit.wikimedia.org/r/1190610

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.21; 2025-09-30).Sep 23 2025, 10:01 AM
gerritbot added a comment.Sep 23 2025, 10:30 AM

Change #1190596 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@REL1_44] Upgrade to web-auth/webauthn-lib ^4.9.2

https://gerrit.wikimedia.org/r/1190596

Reedy mentioned this in T405344: Upgrade web-auth/webauthn-lib to >= 5.2.3.Sep 23 2025, 11:49 AM
Reedy added a parent task: T405344: Upgrade web-auth/webauthn-lib to >= 5.2.3.
Reedy closed this task as Resolved.Sep 23 2025, 12:27 PM

Boldly closing...

I'm still sorting the MW-1.43-release backport, but that's fine

gerritbot added a comment.Sep 23 2025, 8:45 PM

Change #1190610 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@REL1_43] Upgrade to web-auth/webauthn-lib ^4.9.2

https://gerrit.wikimedia.org/r/1190610

Reedy removed a project: Patch-For-Review.Oct 11 2025, 9:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits