Page MenuHomePhabricator

Security review indigo-depict
Closed, DeclinedPublic

Description

For [[:mw:Extension:MolHandler]], I'd like to use third party software to be installed on the image scalers, namely indigo-depict.

The latest version of the tool's code is hosted on GitHub:
https://github.com/ggasoftware/indigo/blob/master/utils/indigo-depict/main.c

Ubuntu package
( For quantal:
http://packages.ubuntu.com/quantal/science/indigo-utils )

For trusty:
http://packages.ubuntu.com/trusty/science/indigo-utils

The command that will run will be similar to
$ indigo-depict "<infile>" "<outfile>.svg" -coloring [off|on]


Version: wmf-deployment
Severity: major

Details

Reference
bz64548

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 3:11 AM
bzimport set Reference to bz64548.
Rillke created this task.Apr 28 2014, 2:47 PM
Rillke added a comment.Jul 9 2014, 2:58 PM

Any news?

I am still around @csteipp and would invest time in this project again if I see that something is moving from the WMF side (e.g. this security review).

@Gilles, is multimedia thinking about supporting this?

I did an initial look at indigo-depict, and the code quality didn't look extremely promising, but if we have some internal support to fix any bugs we find, then there's a much higher chance we can deploy this.

Rillke added a comment.Jan 8 2015, 4:04 AM

What is internal support support exactly and is there a gold standard for evaluating code quality? Test coverage, coding conventions, documentation and legibility are certainly factors but I have no clue how it looks from the perspective of a security software engineer.

Krenair added a subscriber: Krenair.Jan 8 2015, 4:05 AM

@Gilles, is multimedia thinking about supporting this?
I did an initial look at indigo-depict, and the code quality didn't look extremely promising, but if we have some internal support to fix any bugs we find, then there's a much higher chance we can deploy this.

I think our work should be first and foremost to support volunteer contributions, so yes, we will provide that kind of support if needed. @Rillke has put a lot of effort in this project that I wouldn't want to see go to waste.

Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptAug 24 2015, 7:05 PM
Jdforrester-WMF moved this task from Untriaged to Backlog on the Multimedia board.Sep 4 2015, 6:27 PM
Glrx added a subscriber: Glrx.Apr 20 2017, 10:26 PM
Aklapper removed csteipp as the assignee of this task.Dec 9 2017, 1:43 PM
Reedy changed the task status from Open to Stalled.Sep 11 2018, 7:57 PM
Reedy added a project: Multimedia.
Reedy added a subscriber: Reedy.

As @Gilles is no longer on the Multimedia team.. This really needs a new champion inside the WMF

And the extension needs a review too obviously

brion added a subscriber: brion.Sep 11 2018, 8:35 PM
charlotteportero changed the task status from Stalled to Open.Jan 7 2019, 6:35 PM
charlotteportero moved this task from Backlog to Frozen on the Security-Team-Reviews board.

C code -- would need something to happen to move forward on this. No champion is apparent.

@sbassett Does Community-Tech need to do something here?

@Niharika - I believe I tagged Community-Tech as it was thought that they might be a viable champion/owner of this project, when the Security-Team recently discussed this task. If that's not the case, then we can remove the tag.

@Niharika - I believe I tagged Community-Tech as it was thought that they might be a viable champion/owner of this project, when the Security-Team recently discussed this task. If that's not the case, then we can remove the tag.

Yeah, Community Tech gathers projects from the Community Wishlist survey and we already got a bunch of projects on our roadmap this year. Sorry, we won't be able to take this on.

sbassett added subscribers: Ramsey-WMF, MarkTraceur.EditedApr 9 2019, 7:06 PM

@Ramsey-WMF @MarkTraceur -

Hey Multimedia Team. We have this long-lingering review of an old Google-Summer-of-Code project where we'd been asked to review the indigo-depict dependency. Given the elapsed time here and that there most likely isn't a current champion of this extension (as a code steward or for production deployment) the Security-Team would like to propose closing this as declined by April 15th, 2019. If the above assumptions are incorrect and the Multimedia Team (or another team/individual) would like to become a steward for this extension with the goal of deploying to production over the next quarter or two, we can definitely see where we're at and reschedule this review. Thanks.

(n.b. Multimedia, while not perfect, seemed like the closest match as a potential advocate for this extension)

Unfortunately, this code isn't something we can support either (no C programmers on the team, overloaded with SDC now, etc.)

@Ramsey-WMF @MarkTraceur -
Hey Multimedia Team. We have this long-lingering review of an old Google-Summer-of-Code project where we'd been asked to review the indigo-depict dependency. Given the elapsed time here and that there most likely isn't a current champion of this extension (as a code steward or for production deployment) the Security-Team would like to propose closing this as declined by April 15th, 2019. If the above assumptions are incorrect and the Multimedia Team (or another team/individual) would like to become a steward for this extension with the goal of deploying to production over the next quarter or two, we can definitely see where we're at and reschedule this review. Thanks.
(n.b. Multimedia, while not perfect, seemed like the closest match as a potential advocate for this extension)

sbassett closed this task as Declined.Apr 9 2019, 8:39 PM

@Ramsey-WMF - Ok, thanks for the follow-up. I'll go ahead and close this as declined for now.

@sbassett: Assuming that the Security-Team-Reviews tag was removed accidentially when declining this security review request

@Aklapper - Our standard has been to remove Security-Team-Reviews (or Security-Team-Review-Active) when we close a request as declined or invalid, since those projects represent requests that will actually be reviewed at some point. I suppose it doesn't really matter, since any closed task is set to disappear from those workboards, which is the important piece.

@sbassett: Removing the Security-Team-Reviews tag makes it impossible to get a list of all [non-open] review requests, and harder to find an old declined task in the future (as one would search for review tasks in the review project). I'm curious which problem is solved by removing such categorization information, but probably not in this very task (it's a bit off-topic). Note that you can filter the workboard view by changing " All Tasks" to " Open Tasks" in the upper corner.

@Aklapper - Yeah, that's fine. Our workboards for Security-Team-Reviews and Security-Team-Review-Active default to only show open tasks (I believe - or at least that's my default) which is a perfectly acceptable solution.