Bawolff (Brian Wolff)
Security

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (173 w, 1 d)
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff

I work on the MediaWiki Security Team.

Recent Activity

Yesterday

Bawolff updated subscribers of T187487: LiquidThreads: code stewardship review.
Sat, Feb 17, 1:56 PM · MediaWiki-extensions-LiquidThreads, Code-Stewardship-Reviews

Fri, Feb 16

Bawolff added a comment to T187584: Investigation: Using log_search to query for logged actions against IPs in a given range.

On enwiki there are some 3.5 million blocks of IPs in logging -- a rough guess judging by SELECT COUNT(*) FROM logging WHERE log_type = 'block' AND log_title rlike '^[1-9]' AND log_page = 0, and again without log_page = 0 (includes IPs that have a userpage and accounts that start with a number).

Fri, Feb 16, 9:58 PM · MediaWiki-Database, DBA
Bawolff added a comment to T187579: Create ip_logging table to query for logged actions by IP ranges.

It would depend on how important having the ipc_timestamp in the index actually is (since log_search doesn't have that. OTOH if there actually is a performance boost, that may be useful for other log_search usecases). Otherwise its a pretty similar setup to the ip_changes table and actually in many ways is meant for a pretty similar use case (except log_search usually assumes the number of results will be very small).

Fri, Feb 16, 8:21 PM · MediaWiki-Database, MediaWiki-Logging, DBA
Bawolff added a comment to T187579: Create ip_logging table to query for logged actions by IP ranges.

Wouldn't this not work for the intended usecase of T146628 as that's asking for the target of the block log entry, not the user associated with the log entry?

Fri, Feb 16, 8:05 PM · MediaWiki-Database, MediaWiki-Logging, DBA
Bawolff updated the task description for T140079: {{NUMBEROFACTIVEUSERS}} doesn’t get updated when $wgMiserMode = false.
Fri, Feb 16, 1:43 PM · MediaWiki-Installer, MediaWiki-User-login-and-signup, MediaWiki-Special-pages
Bawolff added a comment to T140079: {{NUMBEROFACTIVEUSERS}} doesn’t get updated when $wgMiserMode = false.

@Aklapper I am new to the bug reporting system; @Bawolff I just tried running MW 1.30 with $wgMiserMode = false defined, but there was no effect on getting the statistics to update itself again. :-(

Fri, Feb 16, 1:42 PM · MediaWiki-Installer, MediaWiki-User-login-and-signup, MediaWiki-Special-pages
Bawolff renamed T140079: {{NUMBEROFACTIVEUSERS}} doesn’t get updated when $wgMiserMode = false from {{NUMBEROFACTIVEUSERS}} doesn’t get updated to {{NUMBEROFACTIVEUSERS}} doesn’t get updated when $wgMiserMode = false.
Fri, Feb 16, 12:52 PM · MediaWiki-Installer, MediaWiki-User-login-and-signup, MediaWiki-Special-pages
Bawolff changed the visibility for T184354: XSS vulnerability on wikipedia.de .
Fri, Feb 16, 12:50 PM · WMDE-Fundraising-Sprint-17, WMDE-Fun-Team, Vuln-XSS, Security

Thu, Feb 15

Bawolff added a comment to T160357: Allow those with CheckUser right to access AbuseLog private information on WMF projects.

Theres a whitelist i puppet for which log types are allowed on labs. Anything not on the list is not replicated to labs.

Thu, Feb 15, 3:17 PM · WMF-Legal, Patch-For-Review, Wikimedia-Site-requests, Stewards-and-global-tools, Security-Team, AbuseFilter
Bawolff added a comment to T182599: Make jenkins run phan-taint-check-plugin non-voting and then voting.

Ok, fixes for the failures at: https://gerrit.wikimedia.org/r/#/c/410876/ https://gerrit.wikimedia.org/r/#/c/410869/ and https://gerrit.wikimedia.org/r/#/c/410894/ (In particular, the ImageMap one was an actual issue, in that i18n error messages were being used as raw html)

Thu, Feb 15, 1:53 PM · MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018), Patch-For-Review, Continuous-Integration-Config, phan-taint-check-plugin, Security-Team
Bawolff added a comment to T141576: Please disable CX until drafts aren't completely private.

[I just randomly stumbled across this bug]

Thu, Feb 15, 12:54 PM · ContentTranslation, Language-Engineering July-September 2016, WMF-Legal, ContentTranslation-Release10
Bawolff added a project to T160357: Allow those with CheckUser right to access AbuseLog private information on WMF projects: WMF-Legal.

Get legal to sign off on this task (is it needed?)

Thu, Feb 15, 12:43 PM · WMF-Legal, Patch-For-Review, Wikimedia-Site-requests, Stewards-and-global-tools, Security-Team, AbuseFilter
Bawolff added a comment to T186247: Hebrew Wikivoyage (via Tool "wikivoyage") loads assets by default from third-party sites.

Just to confirm, Collaboration team is planning to take this task on right away?

Thu, Feb 15, 12:22 PM · Collaboration-Team-Triage (Collab-Team-This-Quarter), Vuln-Infoleak, Community-Liaisons, Collaboration-Feature-Rollouts (Collaboration-Maps), Discovery, Privacy, Toolforge-standards-committee, Maps, WMF-Legal, Tools
Bawolff added a comment to T180648: Expand the access to 2FA on fawiki.

Can I remind Security-Team to take a look at this and either approve or deny?

Thu, Feb 15, 12:10 PM · Support-and-Safety, Security-Team, Patch-For-Review, Wikimedia-Site-requests

Wed, Feb 14

Bawolff created T187377: Get taint info from docblock comments instead of having a hardcoded list.
Wed, Feb 14, 8:41 PM · phan-taint-check-plugin
Bawolff created T187311: Make phan-taint-check-plugin understand HTMLForm specifiers.
Wed, Feb 14, 12:17 PM · Patch-For-Review, phan-taint-check-plugin

Tue, Feb 13

Bawolff added a comment to T63729: Remove Flow from Meta-Wiki.

This applies to any extension with log types, not just StructuredDiscussions. It's expected behavior. There is no solution other than code duplication (which is okay if that's the best solution, but no one has explained why it is in this case).

The Flow logs are OK as-is, but I have a possible generic solution that can handle (probably) any future extension. Wouldn't it be possible to run the logs through the extension and store the results as plaintext? Then you don't need the code anymore. Any links would generally point to non-existent objects anyway.

Tue, Feb 13, 4:45 PM · User-notice-collaboration, Patch-For-Review, Community-Liaisons, Collaboration-Team-Triage, StructuredDiscussions, Wikimedia-Site-requests
Bawolff placed T184643: Security review for GlobalPreferences up for grabs.

Overall looks good. Review passed. Some small minor things:

Tue, Feb 13, 4:04 PM · Patch-For-Review, MediaWiki-extensions-GlobalPreferences, Community-Tech, Security-Reviews
Bawolff added a comment to T153182: Perform schema change to add externallinks.el_index_60 to all wikis.

Sillu question - isn't the new index pointless? Its adding el_id on the end, but isn't that always on the end of every index, since its the primary key?

Tue, Feb 13, 1:53 PM · Patch-For-Review, Schema-change, Blocked-on-schema-change, DBA
Bawolff added a comment to T155725: Security review for StopForumSpam.

@Bawolff The extension has changed a bit since the security review. Some files you listed do not exist anymore. I think I should request another security review, thoughts?

Tue, Feb 13, 12:50 PM · MediaWiki-extensions-StopForumSpam, Stewards-and-global-tools, Security-Reviews
Bawolff added a project to T179131: AbuseFilter should actively prune old IP data: Privacy.
Tue, Feb 13, 12:21 PM · Privacy, AbuseFilter
Bawolff claimed T184643: Security review for GlobalPreferences.
Tue, Feb 13, 12:16 PM · Patch-For-Review, MediaWiki-extensions-GlobalPreferences, Community-Tech, Security-Reviews
Bawolff added a comment to T184354: XSS vulnerability on wikipedia.de .

ping on this. How is this going?

Tue, Feb 13, 11:00 AM · WMDE-Fundraising-Sprint-17, WMDE-Fun-Team, Vuln-XSS, Security
Bawolff closed T186205: Enable Extension:Replace Text in Bengali Wikisource as Declined.

This extension is incompatible with ExternalStorage feature used on Wikimedia Wikis, so we cannot install it.

Tue, Feb 13, 10:47 AM · User-Jayprakash12345, Bengali-Sites, Wikimedia-Extension-setup
Bawolff closed T186215: Security review for Extension:Replace Text as Declined.

This extension is incompatible with ExternalStorage feature used on Wikimedia Wikis, so we can't install it, so there's not much point doing a security review.

Tue, Feb 13, 10:46 AM · Security-Reviews
Bawolff closed T186215: Security review for Extension:Replace Text, a subtask of T186205: Enable Extension:Replace Text in Bengali Wikisource, as Declined.
Tue, Feb 13, 10:45 AM · User-Jayprakash12345, Bengali-Sites, Wikimedia-Extension-setup
Bawolff updated the task description for T187153: BadMethodCallException (mRecord->getContent() when mRecord is null) when viewing details or examine of Abuselog of Abusefilter 131 on zh.wikipedia.
Tue, Feb 13, 10:12 AM · Anti-Harassment, Regression, Multi-Content-Revisions, User-Addshore, Wikimedia-log-errors, Chinese-Sites, AbuseFilter
Bawolff renamed T187153: BadMethodCallException (mRecord->getContent() when mRecord is null) when viewing details or examine of Abuselog of Abusefilter 131 on zh.wikipedia from BadMethodCallException when viewing details or examine of Abuselog of Abusefilter 131 on zh.wikipedia to BadMethodCallException (mRecord->getContent() when mRecord is null) when viewing details or examine of Abuselog of Abusefilter 131 on zh.wikipedia.
Tue, Feb 13, 10:11 AM · Anti-Harassment, Regression, Multi-Content-Revisions, User-Addshore, Wikimedia-log-errors, Chinese-Sites, AbuseFilter
Bawolff updated subscribers of T187153: BadMethodCallException (mRecord->getContent() when mRecord is null) when viewing details or examine of Abuselog of Abusefilter 131 on zh.wikipedia.

Which is super weird. I guess this would happen if the mRecord property of the Revison object is null but I'm not sure how that could happen.

Tue, Feb 13, 10:10 AM · Anti-Harassment, Regression, Multi-Content-Revisions, User-Addshore, Wikimedia-log-errors, Chinese-Sites, AbuseFilter
Bawolff added a comment to T187153: BadMethodCallException (mRecord->getContent() when mRecord is null) when viewing details or examine of Abuselog of Abusefilter 131 on zh.wikipedia.
BadMethodCallException from line 906 of /srv/mediawiki/php-1.31.0-wmf.20/includes/Revision.php: Call to a member function getContent() on a non-object (null)
Tue, Feb 13, 9:56 AM · Anti-Harassment, Regression, Multi-Content-Revisions, User-Addshore, Wikimedia-log-errors, Chinese-Sites, AbuseFilter

Mon, Feb 12

Bawolff added a comment to T181417: Security Review - FlowCrypt; gmail encryption.

To be clear - I feel it would be nice to have an independent review although perhaps not a hard blocker (suppose it goes back to threat models and how "sensitive" the material being encrypted is)

Mon, Feb 12, 11:30 AM · Security-Reviews

Sun, Feb 11

Bawolff added a comment to T186989: Resource usage for QuizGame.

Fwiw, i think in a replicated environment the original query (with the addition of wfWaitForSlave() and separating into separate commits ) would be better than the proposed new query.

Sun, Feb 11, 7:54 AM · QuizGame, Social-Tools

Sat, Feb 10

D3r1ck01 awarded T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable a Mountain of Wealth token.
Sat, Feb 10, 5:50 PM · MW-1.31-release-notes (WMF-deploy-2018-01-09 (1.31.0-wmf.16)), MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Jeff_G awarded T161934: Add support for JP2 files a Mountain of Wealth token.
Sat, Feb 10, 4:25 PM · MediaWiki-File-management, Commons, Multimedia

Fri, Feb 9

Bawolff added a project to T186766: MW api list=blocks doesn't return very old blocks where ipb_range_start is empty: MediaWiki-Maintenance-scripts.
Fri, Feb 9, 11:26 AM · MediaWiki-Maintenance-scripts, MediaWiki-User-management, MediaWiki-API
Bawolff added a comment to T185652: AutoProxyBlock uses unserialization on externally obtained php code.

Thanks! I was running into a lot of:

Cannot find symbolic reference
The following command failed with exit code 1
    "git symbolic-ref -q HEAD"
Fri, Feb 9, 12:13 AM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security

Thu, Feb 8

Bawolff added a comment to T181417: Security Review - FlowCrypt; gmail encryption.

Given this is crypto software, it would be nice if it had published audits of its code (The underlying openpgp.js does appear to have an audit at https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit )

Thu, Feb 8, 9:30 AM · Security-Reviews
Bawolff created T186771: use phan to generate a list of extensions likely to be broken by new mediawiki release.
Thu, Feb 8, 3:03 AM · MediaWiki-Releasing
Bawolff added a comment to T182599: Make jenkins run phan-taint-check-plugin non-voting and then voting.

After a bit of fiddling... https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5/console is the result against AbuseFilter. The checkstyle XML is also in a more human readable form at https://integration.wikimedia.org/ci/job/mwext-php70-phan-seccheck-docker/5/checkstyleResult/

Thu, Feb 8, 2:09 AM · MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018), Patch-For-Review, Continuous-Integration-Config, phan-taint-check-plugin, Security-Team
Bawolff closed T74913: #expr error doesn't show non-ascii glyphs as Resolved.
Thu, Feb 8, 1:09 AM · MW-1.31-release-notes (WMF-deploy-2018-02-13 (1.31.0-wmf.21)), Patch-For-Review, I18n, MediaWiki-extensions-ParserFunctions
Bawolff closed T185652: AutoProxyBlock uses unserialization on externally obtained php code as Resolved.
Thu, Feb 8, 1:06 AM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security
Bawolff closed T185652: AutoProxyBlock uses unserialization on externally obtained php code, a subtask of T185384: Convert AutoProxyBlock to use extension registration, as Resolved.
Thu, Feb 8, 1:06 AM · User-MarcoAurelio, Patch-For-Review, MediaWiki-extensions-Other
Bawolff added a comment to T185652: AutoProxyBlock uses unserialization on externally obtained php code.

Cherry-picks to REL1_30 and REL1_29 now merged as well. I couldn't cherry-pick to REL1_28 nor REL1_27 using the Gerrit GUI due to a "merge conflict".

Thu, Feb 8, 1:06 AM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security
Bawolff changed the visibility for T185652: AutoProxyBlock uses unserialization on externally obtained php code.
Thu, Feb 8, 12:57 AM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security

Wed, Feb 7

Bawolff created T186766: MW api list=blocks doesn't return very old blocks where ipb_range_start is empty.
Wed, Feb 7, 11:57 PM · MediaWiki-Maintenance-scripts, MediaWiki-User-management, MediaWiki-API
Bawolff added a comment to T186752: Swap objectcache table for MEMORY engine?.

For some cache cases surviving restarts is probably a good thing (e.g. sessions and maybe parser cache)

Wed, Feb 7, 10:08 PM · MediaWiki-Cache, MediaWiki-Database

Mon, Feb 5

Bawolff added a comment to T172640: MediaWiki internal error. RuntimeException ...MobileFrontend.hooks.php: wgMFDefaultSkinClass ....

My take on this:

Mon, Feb 5, 10:20 PM · MobileFrontend
Bawolff added a comment to T182599: Make jenkins run phan-taint-check-plugin non-voting and then voting.

@Bawolff should we also have a job for MediaWiki core that runs seccheck-mw?

Mon, Feb 5, 5:20 PM · MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018), Patch-For-Review, Continuous-Integration-Config, phan-taint-check-plugin, Security-Team
Bawolff added a comment to T182599: Make jenkins run phan-taint-check-plugin non-voting and then voting.

I think I've mostly got the dockerization ready for this, do you have an example extension that should pass this, and one that fails (or a patch I can apply to the passing one to make it fail)?

Mon, Feb 5, 5:16 PM · MediaWiki-Platform-Team (MWPT-Q3-Jan-Mar-2018), Patch-For-Review, Continuous-Integration-Config, phan-taint-check-plugin, Security-Team
Bawolff added a comment to T185652: AutoProxyBlock uses unserialization on externally obtained php code.

However, for best security, one should also urlencode stuff when building the url. e.g. on line 117, instead of manually turning the array to a url, it should use wfArrayToCgi

Done in:

Mon, Feb 5, 5:08 PM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security
Bawolff added a comment to T185652: AutoProxyBlock uses unserialization on externally obtained php code.

How do I get it merged quickly? All https://www.mediawiki.org/wiki/Reporting_security_bugs tells me is that I shouldn't upload it to Gerrit.

Mon, Feb 5, 4:59 PM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security
Bawolff added a comment to T185652: AutoProxyBlock uses unserialization on externally obtained php code.

@Bawolff If the patch above by @Mainframe98 is right now, should he just upload it to gerrit and get it quickly merged or follow a different step?

Mon, Feb 5, 3:38 PM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security

Fri, Feb 2

Bawolff added a comment to T74913: #expr error doesn't show non-ascii glyphs.

Sure

Fri, Feb 2, 1:45 AM · MW-1.31-release-notes (WMF-deploy-2018-02-13 (1.31.0-wmf.21)), Patch-For-Review, I18n, MediaWiki-extensions-ParserFunctions

Thu, Feb 1

Dzahn awarded T167060: en.wiki domain owned by us, but isn't hosted by us?? a Love token.
Thu, Feb 1, 11:25 PM · WMF-Legal, Privacy, Domains, Operations, DNS, Traffic
Bawolff added a comment to T74913: #expr error doesn't show non-ascii glyphs.

Is there any problem with Validator:cleanup() function in the core which converts non ascii character normal to C?

Thu, Feb 1, 8:31 PM · MW-1.31-release-notes (WMF-deploy-2018-02-13 (1.31.0-wmf.21)), Patch-For-Review, I18n, MediaWiki-extensions-ParserFunctions

Tue, Jan 30

Bawolff added a comment to T144467: Security review for Google MT for Content Translation.

Given everyones going to be at allhands/devsummit next week, maybe we could discuss this bug in person.

Tue, Jan 30, 8:08 PM · Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-2018-Jan-Mar, Language-Q1-2016-17 Sprint 6, ContentTranslation-Release10, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions, ContentTranslation-Deployments, ContentTranslation-CXserver, ContentTranslation
Bawolff added a comment to T185282: Create subdomain for Design and Wikimedia User Interface Style Guide .

Have we considered just having it as a subdirectory of https://doc.wikimedia.org/ ? It seems like a documentation type thingy.

Tue, Jan 30, 7:47 PM · Domains, Operations, Design, WMF-Design, Traffic, WikimediaUI Style Guide

Mon, Jan 29

Bawolff added a project to T185652: AutoProxyBlock uses unserialization on externally obtained php code: Vuln-Inject.

Yes, this patch looks correct, and fixes the unserialization issue

Mon, Jan 29, 9:14 PM · Vuln-Inject, Security-Extensions, Patch-For-Review, MediaWiki-extensions-Other, Security
Bawolff added a comment to T185857: Throttle rule for 1Lib1Ref event.

That's quite a range. They are all associated with University of Tennessee, but does really all of U of tenn really need to be whitelisted. Including ResNet?

Mon, Jan 29, 9:09 PM · Patch-For-Review, User-Zoranzoki21, Wikimedia-Site-requests

Sun, Jan 28

Bawolff added a comment to T164340: Request to add TerraCodes to the "oathauth-tester" group on meta.

As in, i think a steward would have to add you to the group.

Sun, Jan 28, 12:25 PM · Security-Team
Bawolff added a comment to T164340: Request to add TerraCodes to the "oathauth-tester" group on meta.

I think this is pretty obviously ok. Just needs someone to do it.

Sun, Jan 28, 12:23 PM · Security-Team

Sat, Jan 27

Bawolff added a comment to T181738: Google Code-in 2017: Collect Feedback and Lessons Learned.

Commenting on Andre's questions/suggestions:

The experience of most students not making use of IRC other than the first hour suggests to me that only a handful of the more experienced students are comfortable discussing on open or shared channels. Personally I doubt that a separate channel on whatever platform would attract more than the same handful, and it might discourage students from interacting with the wider community even more. I would suggest that we need to "sell" to the inhabitants of one of dev/tech channels the idea that their interaction with GCI students would be beneficial to Wikimedia if they saw the bigger picture and thought a little more long-term. The #Wikimedia-dev channel usually has around 200 folks idling there, but you're lucky if you see two comments an hour normally. Perhaps there's an equally useful channel that has a few more welcoming denizens where we could do some preparatory work prior to the next round. Any suggestions?

The online conference call for new mentors was invaluable for me, although it would have been more useful earlier. I appreciate all the work the organisers did (thank you! if I haven't made that clear before) and I know everyone is a volunteer, but it would pay dividends to give new mentors the earliest possible opportunity to understand more precisely what they will be doing, and what their responsibilities will be.

If we want to motivate students to interact more on IRC,we have to offer an incentive. What's in it for them?

It's worth asking all mentors to encourage students to continue their engagement with WIkimedia after the event closes. Perhaps having a page on meta specifically targeting CGI students with leads, contacts, suggestions for how they can continue, etc. might be useful as well?

I was a little disappointed that I only interacted as a mentor with a few other mentors (thank you particularly, Derick). Having a sense of working as a team is something I'd like to see developed among the mentors. Do we need a regular comms channel? make use of a separate mailing list? have regular conference calls?

Sat, Jan 27, 6:27 PM · Google-Code-in-2017, Developer-Relations (Jan-Mar-2018)
Bawolff closed T182878: Commons gadget "Gadget-advanced-search.js" is not working as Resolved.

I fixed it

Sat, Jan 27, 12:40 AM · Commons

Fri, Jan 26

Bawolff closed T184465: please add Casey Dentinger to Phabricator Security Project as Resolved.

Done

Fri, Jan 26, 8:15 PM · Security
Bawolff added a member for Security: cwdent.
Fri, Jan 26, 8:13 PM
Bawolff added a comment to T134455: Add experimental option for direct SVG output via srcset.

Its probably something that could be fixed in a post-processing layer to the svg.

Fri, Jan 26, 7:00 AM · Patch-For-Review, MediaWiki-File-management, Commons, Multimedia, Wikimedia-SVG-rendering

Wed, Jan 24

Bawolff updated subscribers of T185650: Change atom-link on special:NewPages from several Wikinews-projects.
Wed, Jan 24, 6:36 PM · Wikimedia-Site-requests
Bawolff placed T185650: Change atom-link on special:NewPages from several Wikinews-projects up for grabs.

Im not sure i would describe the english discussion as concensus.

Wed, Jan 24, 6:32 PM · Wikimedia-Site-requests

Tue, Jan 23

Bawolff added a comment to T185012: WMDS 18: Collect feedback as it comes.

Noticed the vegetarian option for lunch Tuesday was 'available on request' instead of being put out with the meaty food. This may be an issue for people.

Tue, Jan 23, 10:24 PM · Wikimedia-Developer-Summit (2018)
Bawolff added a comment to T185012: WMDS 18: Collect feedback as it comes.

Found the keynote speech on Tuesday morning not really connected to Wikimedia. More emphasis on health domain and perhaps the speaker's current employer was not positive.

Explaining the nature of audience and highlevel things that we love to hear from the speaker might help.

Tue, Jan 23, 8:43 PM · Wikimedia-Developer-Summit (2018)
Bawolff added a comment to T184840: Create search keyword for deep category search.

As an aside, I think it would be more useful to users to have semi-deep. Most people want ~4 or 5 levels deep. The category tree becomes very messed up (at least on commons) and usually results in weird results if you have 6 or more levels deep

Tue, Jan 23, 8:32 PM · MW-1.31-release-notes (WMF-deploy-2018-02-20 (1.31.0-wmf.22)), Patch-For-Review, Discovery-Search (Current work), User-Smalyshev, TCB-Team, German-Community-Wishlist, Discovery
Bawolff added a comment to T185595: Assign additional owner to the Variables extension.

What's the path to choose here to get the patch finally merged?

Tue, Jan 23, 8:26 PM · MediaWiki-extensions-Other, Repository-Ownership-Requests
Bawolff added a comment to T185593: +2 for WMDE-leszek in mediawiki/*.

I often like to point out that all wmf employees (afaik) can techncially merge in mediawiki and all extensions, even when they have no contributions to core or any extensions.

Tue, Jan 23, 7:08 PM · User-Addshore, Repository-Ownership-Requests
Bawolff added a comment to T185593: +2 for WMDE-leszek in mediawiki/*.

I'm not sure how I feel. Leszek certainly has a lot of contributions to many extensions, and seems to be a good programmer. But I would normally want more contributions to MediaWiki core before +2 to core. (This should not be counted as a negative vote, I just need to think some about it)

Tue, Jan 23, 7:06 PM · User-Addshore, Repository-Ownership-Requests
Bawolff added a comment to T185593: +2 for WMDE-leszek in mediawiki/*.

I'm not sure how I feel. Leszek certainly has a lot of contributions to many extensions, and seems to be a good programmer. But I would normally want more contributions to MediaWiki core before +2 to core. (This should not be counted as a negative vote, I just need to think some about it)

Tue, Jan 23, 6:58 PM · User-Addshore, Repository-Ownership-Requests
Bawolff awarded T185594: Access to create gerrit repos for Addshore a Like token.
Tue, Jan 23, 6:45 PM · Release-Engineering-Team, User-Addshore, Gerrit
Bawolff added a comment to T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items.

So core is fixed now, so we should be all clear to go ahead with the fix in wikidata

Tue, Jan 23, 1:08 AM · MW-1.31-release-notes (WMF-deploy-2018-02-06 (1.31.0-wmf.20)), Patch-For-Review, MediaWiki-extensions-WikibaseRepository, Wikidata

Mon, Jan 22

Bawolff added a comment to T184354: XSS vulnerability on wikipedia.de .

ping on this. How is this going?

Mon, Jan 22, 8:11 PM · WMDE-Fundraising-Sprint-17, WMDE-Fun-Team, Vuln-XSS, Security
Bawolff added a member for Security: JBennett.
Mon, Jan 22, 7:47 PM
Bawolff added a comment to T183313: Wikimedia Developer Summit 2018 Topic: Evolving the MediaWiki Architecture.

I'd like to see a focus on at least the following.

-Docker + Kubernetes with Parsoid included, with the legacy parser set to be deprecated within X years. We *will* support VE in the Wikimedia cluster (and if product management agrees to it I think it's sensible to bundle it with MediaWiki, too; but that's a secondary matter in a sense) so let's set a clear direction for the ecosystem, and let's do it in a way that acknowledges the need for developer productivity, the state of the industry, and resource elasticity. As to installation / builds for shared hosting providers (who have sufficient sophistication) and gold build virtual machines, I'm pretty sure that's compatible with this approach.

-Commitment to OpenAPI (Swagger) coverage of the Action API, with strict versioning. As a developer I also want "more RESTful" slash separated request URLs and responses, but if that has to be done in RESTBase alone for Wikimedia sites, that's fine, too.

-Addressing the need for high speed client (end user) access to full Parsoid / Page Content Service (PCS), PCS/Parsoid-derived, and general microservice endpoints. The number of objects in the edge cache will need to grow to address multi-device access (one HTML page for all modalities will not work), so we need to formalize the cache/purge strategy and probably consider more edge cache resources.

-Building out event orchestration. Both notifications to clients and increasing fusion of the project content and collaboration demand it.

Mon, Jan 22, 6:01 PM · MediaWiki-Platform-Team, User-Jdlrobson, Services (watching), User-mobrovac, User-Daniel, Wikimedia-Developer-Summit (2018)

Sun, Jan 21

Bawolff added a comment to T183313: Wikimedia Developer Summit 2018 Topic: Evolving the MediaWiki Architecture.

@Bawolff and you might very well be 100% correct. And that's totally fine. I'm not saying we should absolutely do this, I'm only saying that it's worth considering. I have no idea if Drupal (or something like it) would scale to what we need, but honestly, I don't think anyone else knows either (I'm confident it would, in my experience, but as you said, that's not a great argument). It would require some testing/research to find out.

Sun, Jan 21, 7:59 PM · MediaWiki-Platform-Team, User-Jdlrobson, Services (watching), User-mobrovac, User-Daniel, Wikimedia-Developer-Summit (2018)
Bawolff added a comment to T183313: Wikimedia Developer Summit 2018 Topic: Evolving the MediaWiki Architecture.

I'm asking you to trust my 9 years of Drupal experience.

Sun, Jan 21, 7:22 PM · MediaWiki-Platform-Team, User-Jdlrobson, Services (watching), User-mobrovac, User-Daniel, Wikimedia-Developer-Summit (2018)

Sat, Jan 20

Bawolff added a comment to T183313: Wikimedia Developer Summit 2018 Topic: Evolving the MediaWiki Architecture.

I think a lot of us (myself included) get stuck in the trap of thinking about how much time/effort/money we have spent on a piece of software and the thought of abandoning that software seems crazy,

Sat, Jan 20, 10:28 PM · MediaWiki-Platform-Team, User-Jdlrobson, Services (watching), User-mobrovac, User-Daniel, Wikimedia-Developer-Summit (2018)

Fri, Jan 19

Bawolff added a comment to T183318: Wikimedia Developer Summit 2018 Topic: Growing the MediaWiki Technical Community.

I thought https://medium.com/@sandya.sankarram/unlearning-toxic-behaviors-in-a-code-review-culture-b7c295452a3c was an interesting article kind of related to this topic

Fri, Jan 19, 11:52 PM · Developer-Relations, Wikimedia-Developer-Summit (2018)

Jan 18 2018

Bawolff added a comment to T179974: Add Annual Report 2017 to git repo.

Agreed @greg.

I've reviewed our timeline for this year's project and noted we had a 1hr alignment meeting between this group (security review) + Comms + the tech vendor on December 6, 2017. We can do earlier for next year/future projects, but we'll also need commitments to really make use of these alignment meetings to clarify precisely who and how we should coordinate tech hand-offs. Earlier meetings are only as good as the clarity they create.

Jan 18 2018, 7:56 PM · Security-Team, Annual-Report
Bawolff added a comment to T185236: Password Vault for Security Team.

Do we actually have shared secrets?

Jan 18 2018, 6:49 PM · Security-Team, Operations, Security

Jan 17 2018

Bawolff added a comment to T184582: Request access to analytics cluster for bawolff.

Thankyou

Jan 17 2018, 3:55 PM · Patch-For-Review, Ops-Access-Requests, Operations
Bawolff added a comment to T179974: Add Annual Report 2017 to git repo.

[Note, I am sort of away this week, so have limitted availability]

Jan 17 2018, 3:22 AM · Security-Team, Annual-Report

Jan 15 2018

Bawolff added a comment to T181738: Google Code-in 2017: Collect Feedback and Lessons Learned.

On the subject of things google will not change - It would be nice if well one task is waiting for review, the student would be allowed to start the next task to reduce time where student has nothing to do (Provided that they only have one waiting for review and they've succesfully completed at least 2)

Jan 15 2018, 6:15 PM · Google-Code-in-2017, Developer-Relations (Jan-Mar-2018)

Jan 13 2018

Bawolff added a comment to T108734: Backport security fixes to stable + LTS extension branches.

Ive always tried to ensure fixes are backported for extension fixes im involved with, but we probably need to do better.

Jan 13 2018, 2:25 AM · Security, MediaWiki-Releasing, Security-Extensions

Jan 12 2018

Bawolff added a comment to T179974: Add Annual Report 2017 to git repo.

@ZMcCune @Bawolff. I have some good news on the BebasNeue font. It seems to be floating around some different sites, but it appears that it has been freely licensed under the Open Font License (http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL) which is an acceptable free license for font usage. It shows up under this license in a few places, including the original designers website at http://dharmatype.com/license
So, you've got Legal approval for using that one.

Jan 12 2018, 11:31 PM · Security-Team, Annual-Report
Bawolff updated subscribers of T179974: Add Annual Report 2017 to git repo.
Jan 12 2018, 5:45 PM · Security-Team, Annual-Report
Bawolff added a comment to T179974: Add Annual Report 2017 to git repo.

Ok, review done.

Jan 12 2018, 5:28 PM · Security-Team, Annual-Report
Bawolff awarded T184230: Disavow emails from wikipedia.com a Like token.
Jan 12 2018, 4:35 PM · Patch-For-Review, Operations, Mail

Jan 11 2018

Bawolff added a comment to T179974: Add Annual Report 2017 to git repo.

I haven't finished with this yet, but the (relatively minor) concerns I have so far:

Jan 11 2018, 7:24 PM · Security-Team, Annual-Report
Bawolff added a comment to T144467: Security review for Google MT for Content Translation.

So I don't really feel that comfortable with DOMPurify, given that preventing http leaks is outside their threat model. I'm also not really fan of taking unsafe html, and broadly trying to sanitize instead of having a small whitelist of known expected html tags.

It would be at least as big as the whitelist for parsoid output, wouldn't it?

Jan 11 2018, 5:21 PM · Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-2018-Jan-Mar, Language-Q1-2016-17 Sprint 6, ContentTranslation-Release10, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions, ContentTranslation-Deployments, ContentTranslation-CXserver, ContentTranslation
Bawolff added a comment to T181738: Google Code-in 2017: Collect Feedback and Lessons Learned.

I've found the limit of 1500 characters quite restrictive. Taking beginners through their first steps in a new language is rewarding, but requires a lot of detail in the instructions to keep them "on the rails".

In future, if we can't get an extension to what i consider a very arbitrary limit, we may need to use pages on-wiki to store detailed instructions, rather than in GCI itself. That may not necessarily be a bad thing.

Jan 11 2018, 3:52 AM · Google-Code-in-2017, Developer-Relations (Jan-Mar-2018)

Jan 10 2018

Bawolff updated the task description for T184582: Request access to analytics cluster for bawolff.
Jan 10 2018, 2:38 PM · Patch-For-Review, Operations, Ops-Access-Requests
Bawolff added a comment to T184483: reading spamblacklist logs.

Scraping data out of the serialized PHP data contained in the log_params field in a MariaDB view would be difficult at best. Performance would certainly be horrible if this artificial field was then expected to be searchable with SQL.

Jan 10 2018, 8:09 AM · Data-Services, MediaWiki-Logging, SpamBlacklist
Bawolff added a comment to T179974: Add Annual Report 2017 to git repo.

waiting for security review by security team

security team, please take a look at the gerrit link above

Jan 10 2018, 7:56 AM · Security-Team, Annual-Report