Page MenuHomePhabricator
Feed Advanced Search

Fri, Jan 14

Mstyles added a comment to T289322: Pre-launch security review of Wikifunctions.

Security Review Summary - T289322 - 2022-01-13
Last commit reviewed: 36511a7

Fri, Jan 14, 3:11 AM · user-sbassett, Application Security Reviews, Abstract Wikipedia team (Phase λ – Launch), secscrum

Tue, Jan 11

sbassett awarded T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1) a Like token.
Tue, Jan 11, 3:07 PM · Security Team AppSec, Security-Team, user-sbassett, MediaWiki-Releasing, Security

Mon, Jan 10

Mstyles changed the edit policy for T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).
Mon, Jan 10, 11:01 PM · Security Team AppSec, Security-Team, user-sbassett, MediaWiki-Releasing, Security
Mstyles changed the visibility for T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).
Mon, Jan 10, 11:00 PM · Security Team AppSec, Security-Team, user-sbassett, MediaWiki-Releasing, Security
Mstyles added a comment to T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).

Supplemental announcement is out!

Mon, Jan 10, 10:58 PM · Security Team AppSec, Security-Team, user-sbassett, MediaWiki-Releasing, Security
Mstyles added a comment to T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).

Subject: MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)

Mon, Jan 10, 10:45 PM · Security Team AppSec, Security-Team, user-sbassett, MediaWiki-Releasing, Security

Tue, Jan 4

Mstyles updated the task description for T292236: Write and send supplementary release announcement for extensions and skins with security patches (1.35.5/1.36.3/1.37.1).
Tue, Jan 4, 6:06 PM · Security Team AppSec, Security-Team, user-sbassett, MediaWiki-Releasing, Security

Dec 14 2021

Mstyles updated the task description for T296346: Create Demo Environment for Security API.
Dec 14 2021, 9:43 PM · Security, Security-Team
Mstyles closed T293417: Determine best available auth mechanism for the initial Security API use-case as Resolved.
Dec 14 2021, 9:42 PM · SecTeam-Processed, Security, Security-Team
Mstyles closed T293417: Determine best available auth mechanism for the initial Security API use-case, a subtask of T290917: New Service Request Security API Gateway, as Resolved.
Dec 14 2021, 9:42 PM · user-sbassett, Security, Security-Team
Mstyles added a comment to T293417: Determine best available auth mechanism for the initial Security API use-case.

The Security API extension has been created and will be used for auth

Dec 14 2021, 9:42 PM · SecTeam-Processed, Security, Security-Team
Mstyles closed T293418: Determine API endpoints for initial Security API use-case, a subtask of T290917: New Service Request Security API Gateway, as Resolved.
Dec 14 2021, 9:41 PM · user-sbassett, Security, Security-Team
Mstyles closed T293418: Determine API endpoints for initial Security API use-case as Resolved.
Dec 14 2021, 9:41 PM · SecTeam-Processed, Security, Security-Team
Mstyles added a comment to T293418: Determine API endpoints for initial Security API use-case.

We decided to go with

  • /feed/v1/all
  • /feed/v1/ip/:ip
Dec 14 2021, 9:40 PM · SecTeam-Processed, Security, Security-Team

Dec 7 2021

Mstyles added a comment to T288768: Security Readiness Review For Vuex 4 (upgrade from Vuex 3).

Security Review Summary - T288768 - 2021-12-06

Dec 7 2021, 2:10 AM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, secscrum, Application Security Reviews

Dec 6 2021

Mstyles added a parent task for T271037: CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value: T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.
Dec 6 2021, 10:23 PM · MW-1.37-notes, MW-1.36-notes, MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), MW-1.35-notes, Patch-For-Review, Vuln-MissingAuthz, SecTeam-Processed, AbuseFilter, User-DannyS712, MediaWiki-Page-editing, Security, Security-Team
Mstyles added a subtask for T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1: T271037: CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value.
Dec 6 2021, 10:23 PM · MediaWiki-Releasing, Security

Nov 23 2021

Mstyles created T296346: Create Demo Environment for Security API.
Nov 23 2021, 9:27 PM · Security, Security-Team

Nov 1 2021

Mstyles added a comment to T290808: Users with no NDA can access confidential information at testwiki's SecurePoll instance (CVE-2021-46148).

@phuedx could you please have someone else review your patch so that the security team can move forward and deploy it?

Nov 1 2021, 9:13 PM · MW-1.38-notes (1.38.0-wmf.13; 2021-12-13), Patch-For-Review, MediaWiki-extensions-SecurePoll, SecTeam-Processed, Anti-Harassment, Security, Security-Team
Mstyles added a comment to T271037: CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value.

The security team would be happy to deploy this patch as soon as it can be reviewed by another person.

Nov 1 2021, 9:12 PM · MW-1.37-notes, MW-1.36-notes, MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), MW-1.35-notes, Patch-For-Review, Vuln-MissingAuthz, SecTeam-Processed, AbuseFilter, User-DannyS712, MediaWiki-Page-editing, Security, Security-Team
Mstyles added a comment to T294693: XSS on page information Wikibase central description (CVE-2021-45473).

As soon as this gets reviewed by someone else, the security team will be more than happy to deploy!

Nov 1 2021, 9:12 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Wikibase Release Strategy, SecTeam-Processed, wdwb-tech, MediaWiki-extensions-WikibaseClient, User-Urbanecm, Wikidata, Vuln-XSS, Security, Security-Team

Oct 27 2021

Mstyles closed T284341: Security Readiness Review For Vite as Resolved.
Oct 27 2021, 12:21 AM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, Application Security Reviews, secscrum
Mstyles moved T284341: Security Readiness Review For Vite from Waiting to Our Part Is Done on the secscrum board.
Oct 27 2021, 12:21 AM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, Application Security Reviews, secscrum
Mstyles added a comment to T284341: Security Readiness Review For Vite.

Marking this as complete since the subtasks have been created with the open vulnerabilities.

Oct 27 2021, 12:21 AM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, Application Security Reviews, secscrum
Mstyles created T294399: Path Traversal Vulnerabilities in Vite.
Oct 27 2021, 12:20 AM · Security, Application Security Reviews
Mstyles placed T294396: XSS vulnerabilities in the Vite server package up for grabs.
Oct 27 2021, 12:19 AM · Security, Application Security Reviews
Mstyles updated the task description for T294396: XSS vulnerabilities in the Vite server package.
Oct 27 2021, 12:19 AM · Security, Application Security Reviews
Mstyles created T294396: XSS vulnerabilities in the Vite server package.
Oct 27 2021, 12:03 AM · Security, Application Security Reviews

Oct 26 2021

Mstyles added a comment to T291522: Parent task for WDQS streaming updater posts.

Yes, images sound good to me!

Oct 26 2021, 7:56 PM · Technical-blog-posts
Mstyles added a comment to T286958: Document long-term requirements for GitLab job runners.

The security team would be more than happy to review the documentation when it gets to the draft phase

Oct 26 2021, 7:45 PM · SecTeam-Processed, Security, GitLab (CI & Job Runners), Release-Engineering-Team (Seen), User-brennen
Mstyles moved T294307: Research and design basic ci processing scripts (to exit 1 for tools that report errors and generate report artifacts) from Incoming to In Progress on the Security-Team board.
Oct 26 2021, 7:41 PM · SecTeam-Processed, GitLab (CI & Job Runners), Security, Security Team AppSec, Security-Team

Oct 19 2021

Mstyles updated subscribers of T284341: Security Readiness Review For Vite.

@egardner @Catrope This is going into our risk registry next week and will be owned by @marcella and @MarkTraceur.

Oct 19 2021, 7:25 PM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, Application Security Reviews, secscrum

Oct 18 2021

Mstyles lowered the priority of T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL from High to Low.
Oct 18 2021, 10:08 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team
Mstyles moved T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
Oct 18 2021, 10:07 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team
Mstyles added a comment to T293589: CVE-2021-44855: Blind Stored XSS via Upload Image via URL.

deployed 10/18 to production (https://sal.toolforge.org/log/zRBxlXwBa_6PSCT9WSay)

Oct 18 2021, 10:07 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Patch-For-Review, SecTeam-Processed, VisualEditor, Vuln-XSS, Security, Security-Team
Mstyles moved T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146) from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
Oct 18 2021, 9:41 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
Mstyles lowered the priority of T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146) from High to Low.
Oct 18 2021, 9:41 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
Mstyles added a comment to T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).

Deployed to production on 10/18 (https://sal.toolforge.org/log/AQpJlXwB1jz_IcWust7f).

Oct 18 2021, 9:38 PM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team

Oct 13 2021

Mstyles edited projects for T203129: Define Suppress grants, added: SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:34 PM · SecTeam-Processed, Privacy Engineering, Platform Engineering, Trust-and-Safety, Privacy, WMF-Legal, User-Rxy, Patch-For-Review, MediaWiki-General
Mstyles edited projects for T179901: Create a tmp directory just for MediaWiki, added: SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:31 PM · SecTeam-Processed, Security, Performance-Team (Radar), serviceops, MediaWiki-General
Mstyles edited projects for T176533: Re-enable stacktraces on Wikimedia wikis ($wgShowExceptionDetails = true);, added: Security, SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:31 PM · SecTeam-Processed, Security, Wikimedia-Site-requests
Mstyles edited projects for T124445: Design research support for two step authentication, added: Security, SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:29 PM · SecTeam-Processed, Security, MediaWiki-extensions-OATHAuth
Mstyles edited projects for T121136: Establish a process to periodically review and approve access for hadoop/hue users, added: Security, SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:29 PM · SecTeam-Processed, Security, Analytics-Radar, User-Elukey
Mstyles edited projects for T118774: No way to force a user to change their password if it's invalid, added: SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:28 PM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup
Mstyles edited projects for T28227: Notify user by email when password changed, added: Security, SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:28 PM · SecTeam-Processed, Security, MediaWiki-Authentication-and-authorization, MediaWiki-Email, MediaWiki-User-login-and-signup
Mstyles edited projects for T254698: Disallow external JavaScripts at svwiki, added: SecTeam-Processed; removed Security-Team.
Oct 13 2021, 7:25 PM · SecTeam-Processed, Wikimedia-Site-requests, ContentSecurityPolicy
Mstyles added a comment to T288974: Security Issue Access Request for odimitrijevic.

Hi @odimitrijevic have you been able to set up Multi-factor auth for Phabricator?

Oct 13 2021, 7:07 PM · SecTeam-Processed, Security-Team, Security

Oct 7 2021

Mstyles added a comment to T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).

email draft

Oct 7 2021, 8:48 PM · User-RhinosF1, user-sbassett, MediaWiki-Releasing, Security
Mstyles renamed T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045) from Modified HTTP headers allow XSS in SecurePoll to Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045).
Oct 7 2021, 8:35 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-SecurePoll, Vuln-XSS, Security, Security-Team
Mstyles renamed T289064: Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048) from Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts to Newcomer homepage Impact module: Permanent XSS exploitable by admins for new accounts (CVE-2021-42048).
Oct 7 2021, 8:35 PM · MW-1.37-notes (1.37.0-wmf.23; 2021-09-13), SecTeam-Processed, user-sbassett, Growth-Team (Current Sprint), GrowthExperiments-ImpactModule, Vuln-XSS, Security, Security-Team
Mstyles renamed T289063: Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047) from Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) to Mentor dashboard: Permanent XSS exploitable by wiki admins (server-side part) (CVE-2021-42047).
Oct 7 2021, 8:34 PM · MW-1.37-notes (1.37.0-wmf.23; 2021-09-13), SecTeam-Processed, user-sbassett, User-Urbanecm_WMF (Engineering), Patch-For-Review, Vuln-XSS, Growth-Team (Current Sprint), GrowthExperiments-MentorDashboard, Security, Security-Team
Mstyles renamed T286385: XSS in GlobalWatchlist (CVE-2021-42046) from XSS in GlobalWatchlist to XSS in GlobalWatchlist (CVE-2021-42046).
Oct 7 2021, 8:33 PM · Patch-For-Review, MW-1.37-notes (1.37.0-wmf.14; 2021-07-12), SecTeam-Processed, MediaWiki-extensions-GlobalWatchlist, Vuln-XSS, User-DannyS712, Security, Security-Team
Mstyles updated the task description for T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).
Oct 7 2021, 8:28 PM · User-RhinosF1, user-sbassett, MediaWiki-Releasing, Security

Oct 6 2021

Mstyles moved T277690: Security Readiness Review for SD Image Recommendations UI from Upcoming Quarter Planning Queue to Back Orders on the secscrum board.
Oct 6 2021, 7:03 PM · Image-Suggestions, secscrum, Application Security Reviews
Mstyles added a comment to T277690: Security Readiness Review for SD Image Recommendations UI.

@CBogen if it's just notifications, I don't think that needs a review. I'll put this ticket in Back Orders for now, and let us know if/when there's more code to be reviewed. Does that work?

Oct 6 2021, 6:55 PM · Image-Suggestions, secscrum, Application Security Reviews
Mstyles added a comment to T277690: Security Readiness Review for SD Image Recommendations UI.

@CBogen if the UI code is more than a couple of files, then a security review could be necessary. Do you have a link to the code?

Oct 6 2021, 6:25 PM · Image-Suggestions, secscrum, Application Security Reviews

Oct 5 2021

Mstyles claimed T288768: Security Readiness Review For Vuex 4 (upgrade from Vuex 3).
Oct 5 2021, 5:40 PM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, secscrum, Application Security Reviews
Mstyles added a comment to T277690: Security Readiness Review for SD Image Recommendations UI.

Hi @CBogen can we get an update on this project? Perhaps an updated description if this project is still slated to be deployed this quarter.

Oct 5 2021, 5:38 PM · Image-Suggestions, secscrum, Application Security Reviews

Oct 1 2021

Mstyles updated the task description for T285414: Write and send supplementary release announcement for extensions and skins with security patches (1.31.16/1.35.4/1.36.2).
Oct 1 2021, 11:41 PM · User-RhinosF1, user-sbassett, MediaWiki-Releasing, Security

Sep 30 2021

Mstyles added a comment to T284341: Security Readiness Review For Vite.

Security Review Summary - T284341 - 2021-09-30

Sep 30 2021, 9:29 PM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, Application Security Reviews, secscrum

Sep 27 2021

Mstyles added a comment to T291696: XSS vulnerability in the 'setchange' log (CVE-2021-42041).

This security patch was deployed on Sept 27: https://sal.toolforge.org/log/15laKXwBa_6PSCT9t46S
Everything looked good on logstash, no errors seen. Feel free to test.

Sep 27 2021, 10:24 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), SecTeam-Processed, MediaWiki-extensions-CentralAuth, Vuln-XSS, User-Zabe, Security, Security-Team

Aug 4 2021

Mstyles added a comment to T269291: Security Readiness Review For Extension:NearbyPages.

Security Review Summary - T269291 - 2021-08-04

Aug 4 2021, 10:57 PM · Security, Application Security Reviews, secscrum, NearbyPages
Mstyles raised the priority of T269291: Security Readiness Review For Extension:NearbyPages from Medium to Needs Triage.

Providing security vulnerability report

Aug 4 2021, 8:13 PM · Security, Application Security Reviews, secscrum, NearbyPages

Jul 1 2021

Mstyles added a comment to T284341: Security Readiness Review For Vite.

@egardner is there a more targeted launch date, perhaps a month as opposed to a quarter?

Jul 1 2021, 6:32 PM · Deprecated-Design-Systems-team-board (Design Systems Team Radar), Security, Application Security Reviews, secscrum
Mstyles added a comment to T277690: Security Readiness Review for SD Image Recommendations UI.

@CBogen Q2 beginning in Oct 1 2021? If that's the case, we'll probably want to schedule the review closer to the deployment date.

Jul 1 2021, 6:26 PM · Image-Suggestions, secscrum, Application Security Reviews
Mstyles added a comment to T277690: Security Readiness Review for SD Image Recommendations UI.

@CBogen is this planned to be deployed in the next quarter or two?

Jul 1 2021, 6:23 PM · Image-Suggestions, secscrum, Application Security Reviews

Jun 29 2021

Mstyles added a comment to T285515: CVE-2021-41798: XSS vulnerability in Special:Search.

deployed security patch to wmf.11 and wmf.12 -> https://sal.toolforge.org/log/UMnBWXoB8Fs0LHO5Q8wn and https://sal.toolforge.org/log/o8nHWXoB8Fs0LHO5vNDC

Jun 29 2021, 10:00 PM · MW-1.38-notes (1.38.0-wmf.3; 2021-10-05), MW-1.31-release-notes, MW-1.36-notes, MW-1.37-notes, MW-1.35-notes, SecTeam-Processed, Discovery-Search (Current work), MediaWiki-Search, User-Zabe, Vuln-XSS, Security, Security-Team

Jun 23 2021

Mstyles added a comment to T285190: Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127).

The patch was applied with .9 and .11 (https://sal.toolforge.org/log/VEzWOnoB1jz_IcWuA5fo), but this patch doesn't handle the user id scenario. This is mentioned in T260863 which was merged into this ticket.

Jun 23 2021, 9:49 PM · MW-1.37-notes (1.37.0-wmf.14; 2021-07-12), MediaWiki-extensions-CentralAuth, Vuln-Infoleak, User-Zabe, Security, Security-Team

Jun 22 2021

Mstyles moved T281527: Security Readiness Review For Vue composition API plugin from In Progress to Waiting on the secscrum board.
Jun 22 2021, 3:53 PM · Deprecated-Design-Systems-team-board, secscrum, Security, Application Security Reviews

Jun 21 2021

Mstyles updated the task description for T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).
Jun 21 2021, 9:18 PM · Security-Team, user-sbassett, MediaWiki-Releasing, Security
Mstyles added a comment to T285190: Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127).

Security patch deployed June 21, 2021 -> https://sal.toolforge.org/log/Q1RpMHoBa_6PSCT9zC0q

Jun 21 2021, 9:16 PM · MW-1.37-notes (1.37.0-wmf.14; 2021-07-12), MediaWiki-extensions-CentralAuth, Vuln-Infoleak, User-Zabe, Security, Security-Team
Mstyles moved T285190: Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127) from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
Jun 21 2021, 9:15 PM · MW-1.37-notes (1.37.0-wmf.14; 2021-07-12), MediaWiki-extensions-CentralAuth, Vuln-Infoleak, User-Zabe, Security, Security-Team
Mstyles added a comment to T285190: Special:GlobalUserRights reveals existence of globally suppressed users (CVE-2021-36127).

@Zabe this patch works for globally suppressed users, but there are some users who have both gu_status and lists as attributes, in the database still have the same error message. Not sure if the patch should cover those users as well. Another patch can be submitted if that's the case. More context for hidden lists -> https://phabricator.wikimedia.org/T192957

Jun 21 2021, 9:01 PM · MW-1.37-notes (1.37.0-wmf.14; 2021-07-12), MediaWiki-extensions-CentralAuth, Vuln-Infoleak, User-Zabe, Security, Security-Team

Jun 14 2021

Mstyles added a comment to T281527: Security Readiness Review For Vue composition API plugin.

Security Review Summary - Vue Composition API - 2021-06-10

Jun 14 2021, 8:41 PM · Deprecated-Design-Systems-team-board, secscrum, Security, Application Security Reviews

Jun 8 2021

Mstyles added a comment to T280644: Security Readiness Review For mapbox-gl-rtl-text.

@MSantos this is medium risk if it is still going to be used in a production capacity. In that case, we either need a mitigation plan to address the security issues or your manager/tech lead needs to accept the risk, which means that this project will be added to the WMF risk registry.

Jun 8 2021, 4:52 PM · Maps (Kartographer), Product-Infrastructure-Team-Backlog, Security, Application Security Reviews

May 24 2021

Mstyles added a comment to T281527: Security Readiness Review For Vue composition API plugin.

@Catrope What version of the composition API do you plan to use? From the release page, it seems that v1.0.0 only has release candidates and betas. Is there a particular commit you are planning to pin to?

May 24 2021, 4:44 PM · Deprecated-Design-Systems-team-board, secscrum, Security, Application Security Reviews

May 22 2021

Mstyles added a comment to T280644: Security Readiness Review For mapbox-gl-rtl-text.

Security Review Summary - Mapbox-gl-rtl-text - 2021-05-13

May 22 2021, 1:27 AM · Maps (Kartographer), Product-Infrastructure-Team-Backlog, Security, Application Security Reviews

May 17 2021

Mstyles added a comment to T281903: Onboarding Maryum Styles to the Security Team as a Security Engineer.

yes, that seems fine now. I think we can close this ticket

May 17 2021, 4:05 PM · Security-Team

May 10 2021

Mstyles added a comment to T281903: Onboarding Maryum Styles to the Security Team as a Security Engineer.

just waiting on the ops mailing list request

May 10 2021, 3:24 PM · Security-Team
Mstyles updated the task description for T281903: Onboarding Maryum Styles to the Security Team as a Security Engineer.
May 10 2021, 3:24 PM · Security-Team

May 6 2021

Mstyles updated the task description for T281903: Onboarding Maryum Styles to the Security Team as a Security Engineer.
May 6 2021, 7:10 PM · Security-Team

May 5 2021

Mstyles updated the task description for T281903: Onboarding Maryum Styles to the Security Team as a Security Engineer.
May 5 2021, 8:12 PM · Security-Team
Mstyles added a member for Security: Mstyles.
May 5 2021, 8:10 PM

May 4 2021

Mstyles updated the task description for T281903: Onboarding Maryum Styles to the Security Team as a Security Engineer.
May 4 2021, 9:26 PM · Security-Team

Apr 28 2021

Mstyles committed rWJVM323920579dcc: [maven-release-plugin] prepare for next development iteration (authored by Mstyles).
[maven-release-plugin] prepare for next development iteration
Apr 28 2021, 10:22 PM
Mstyles committed rWJVM015d05b1179c: [maven-release-plugin] prepare release wmf-jvm-utils-parent-1.0.0 (authored by Mstyles).
[maven-release-plugin] prepare release wmf-jvm-utils-parent-1.0.0
Apr 28 2021, 10:22 PM
Mstyles committed rWJVMf8af0d018f22: customRoutePlanner: add implementation (authored by Mstyles).
customRoutePlanner: add implementation
Apr 28 2021, 1:33 PM

Apr 19 2021

Mstyles moved T280166: Investigate using session cluster for Flink from Incoming to Current work on the Wikidata-Query-Service board.
Apr 19 2021, 3:13 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata

Apr 14 2021

Mstyles added a comment to T273098: High Availability Flink.

So one problem with implementing HA without using the session cluster (T280166) is that Flink can't properly start the Streaming Updater job locally, since the jar needs to be stored in the storage directory. I'm not sure of a workaround if we don't end up using the session cluster for local/ci use cases.

Apr 14 2021, 10:52 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata
Mstyles added a comment to T273098: High Availability Flink.

3 config maps are created by the pods, dispatcher-leader, resourcemanager-leader, and restserver-leader. There aren't any references from helm to these configmaps, so when helm is updated, it shouldn't affect the configmaps.

Apr 14 2021, 4:51 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata
Mstyles created T280166: Investigate using session cluster for Flink.
Apr 14 2021, 4:42 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata

Apr 6 2021

Mstyles added a comment to T278385: Streaming Updater must make all requests to proxy endpoints.

Thanks!

Apr 6 2021, 10:37 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata

Mar 31 2021

Mstyles updated subscribers of T278385: Streaming Updater must make all requests to proxy endpoints.

@akosiaris the swift proxies in there seem are pointing to the swift cluster that we use (thano-swift). We'll need additional proxies set up for that as well. Would it be more helpful to have a separate ticket for the proxies that need to be created? (meta.wikimedia.org and thanos-swift). Additionally, looking at the list of proxies from envoy, I didn't see anything for wikidata. Am I missing something? @dcausse also wanted to know if there can be a api-ro.discovery.wmnet proxy in addition to api-rw.discovery.wmnet, since we only read from Mediawiki.

Mar 31 2021, 10:47 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata

Mar 30 2021

Mstyles added a comment to T278385: Streaming Updater must make all requests to proxy endpoints.

@akosiaris: I wanted to clarify for Swift as well, will there be proxies to connect to the swift auth url (https://thanos-swift.discovery.wmnet/auth/v1.0) and connecting to the thanos swift cluster (swift://updater.thanos-swift/wdqs_streaming_updater_test/checkpoints) for storing checkpoint data in the swift cluster ?

Mar 30 2021, 5:02 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata

Mar 24 2021

Mstyles moved T278385: Streaming Updater must make all requests to proxy endpoints from Incoming to Ready for Development on the Discovery-Search (Current work) board.
Mar 24 2021, 10:02 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata
Mstyles created T278385: Streaming Updater must make all requests to proxy endpoints.
Mar 24 2021, 8:14 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata
Mstyles updated subscribers of T273098: High Availability Flink.
Mar 24 2021, 4:49 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata
Mstyles updated subscribers of T273098: High Availability Flink.

The changes for HA are mostly changing a few lines of the config file. The part that is unclear is whether we can get a service account for pods that allow them to do CRUD operations for configmaps. Pods will need to be able to update the configmap. Details here. Another thing that would have to change is that JobManager pods should be started with their IP address instead of a Kubernetes service as its jobmanager.rpc.address. I'm not sure how that would work.

Mar 24 2021, 4:46 PM · Patch-For-Review, Discovery-Search (Current work), Wikidata-Query-Service, Wikidata

Mar 23 2021

Mstyles claimed T278155: Create commons/wikidata dataset for MediaSearch.
Mar 23 2021, 4:21 PM · Discovery-Search, CirrusSearch
Mstyles moved T278155: Create commons/wikidata dataset for MediaSearch from Incoming to In Progress on the Discovery-Search (Current work) board.
Mar 23 2021, 4:21 PM · Discovery-Search, CirrusSearch