Language updated and will continue to monitor and adjust.

Hi @AMuigai - do you have a specific stop date / date we could begin review yet? Our process is frozen so long as commits are frequently being made. Alternatively, if you could choose a specific commit we could begin reviewing at that point with the understanding that we would *only* be reviewing to that point and further commits would not be included in our assessment.

We've determined that the expectation of "30 days" as a timeframe will only apply once the team has received everything needed to move forward and as long as nothing occurs to hamper / restart our review process. This could include changes to code, which would restart the 30 day timer. I'll look at precise phrasing of this for Readiness reviews, and it will not apply to Concept reviews.

@JTannerWMF We expect this to be in progress shortly and @sbassett will be in touch with any questions or concerns.

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.

Closing per email conversation with @bcampbell in OIT- this is an old ticket that no longer requires work from the Security-Team.

Will review with @JBennett and AppSec team and plan on updating before 1/27/20

Massaged a bit @chasemp but @JBennett is going to look as well. https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services has been updated.

@chasemp - talked to JB and we are good to run with just this as a first iteration / attempt at metrics. This list looks accurate (ish) for team names? https://office.wikimedia.org/wiki/Contact_list

Hi @CCicalese_WMF - apologies, I'm out of the office. Do you have a date you're aiming for? Let me know and we'll try and get someone on it fairly quickly.

Hi @CCicalese_WMF - can you please let us know if this is the only patch set you'd like us to look at? https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OAuth/+/550847/

We are waiting decisions from the Frontend working group and declining until the direction being taken is more clear.

Happy @sbassett could help, and as he mentioned we'll be adding more and refining in the near future. Cheers :)

Excellent news @JTannerWMF - James is on it and we should have an update for you soon.

Hi @JTannerWMF - we've taken a look at this and once WMF-Legal has wrapped up their review we should only need a few days at most.

Hi @JTannerWMF, @sbassett beat me to the punch! We'll make a point of reviewing on Monday at our triage meeting and I'll be sure to touch base with you when we know what our timeline will look like.

As an initial approach to get better visibility around security issues for bundled and deployed extensions, we plan to send this supplementary announcement: https://phabricator.wikimedia.org/T232113

There is nothing in the repo and we do not know what plans Chase had / has for this. We will move to our "watching" column for the time being.

Upon review, Security Team is untagging as we will not be working on this ticket.

Upon review, Security Team is untagging as we will not be working on this ticket.

Security Team has reviewed and is untagging to remove from team backlog as we will not be actively working on the ticket. This was reviewed in a Concept Review: https://phabricator.wikimedia.org/T227820

Due to the explanation in T150605#4580720, the Security Team is resolving this task.

@Aklapper - as I said in my comment above, we were clearly mistaken. We are happy to perform any work that is needed.

Hi everyone,

Hi @Aklapper - apologies for any confusion. In a team meeting where we were working on cleaning up our workboard, we made the (apparently erroneous) assumption that this ticket had already been addressed and was no longer being worked on. If you could please let me know what additional actions are needed on this ticket I would be happy to keep things moving forward.

Resolving for the time being. Will revisit should the desire to pursue arise.

As nothing additional is required on this task, the Security Team is resolving. Please feel free to submit a new ticket should additional / further action be required.

The Security Team agrees and resolving this task for the time being.

The team has taken a look at this feels we can provide a basic review by your target deployment date, but that a more in-depth look may need to happen post-launch. We hope that this will work for you and your team - please let us know if you have any questions or concerns and we'll be in touch as we move forward.