Hi @Urbanecm_WMF - can you please let us know what your target deployment date is? It will help us to resource this appropriately. Please know that next quarter (Q1) would be the soonest we'd be able to get you in queue for review. Thank you!

Thanks, @ori . These assumptions sound correct to us and make a beta deployment for this extension low risk. While the Security Team is not in the business of giving thumbs up/thumbs down approvals, low risk is automatically accepted by the Foundation thus unblocking beta deployment. I hope this is helpful and helps you to move forward with the project.

This won't be revisited until related upstream workflows are addressed.

@sbassett we have a pile of these without tasks, boards, or members. We're aware and incorporating into workflow changes / development. Expect a team review of it all...eventually.

Thank you for doing this work, we appreciate your efforts in trying to get this extension to production. Unfortunately, the Security team is unable to assign a risk rating based upon a review not performed by a member of the Security team or an approved vendor.

Sending over to @Dsharpe as a supplier assessment. David, please let me know if we should send these your way via some other workflow?

@Volker_E @Jdlrobson Please respond to our previous message by April 20 or we will need to move this to our backlog. Thanks!

@ori We will discuss at our next AppSec scrum and provide an update next week. Thanks!

Apologies for the lack of updates @Jdlrobson - we do have a vendor lined up to complete this and will be in touch as they move forward. Thank you for your patience.

Hi, just a quick reminder that, as mentioned above, we will be unable to prioritize and schedule a security review until we've received an intended production support plan, including any potential Foundation team sponsorship. Please review our SOP for details: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Hi @SLien_WMF - we'd love to schedule a quick chat to clarify. Could you please email me and let me know who would attend, and I will get something scheduled? Thanks!

@CKoerner_WMF Looks like we are all set for now and @Reedy expects to finish next week. Have a great weekend :)

Hi @MBinder_WMF - I noted that we still had it marked "Needs Triage" and wanted to correct that error. Adjust priority as needed. There is discussion happening around the remaining question and it was raised again just yesterday. We'll pursue resolution for you as soon as possible and apologize for the delay.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

Untagging as there has been no activity. Please feel free to re-tag if this moves forward and we will be happy to triage.

Sending to @Dsharpe for vendor assessment

Untagging as there has been no activity. Please feel free to re-tag if this moves forward and we will be happy to triage.

@SBisson @sbassett I'll place in planning queue for Q4 (https://phabricator.wikimedia.org/tag/secscrum/) and we'll be in touch if anything changes / is of concern. Thanks!

@bd808 we have placed you in queue for next quarter, with work expected to begin in May for a late June launch date. Please note that all relevant code should be in a production-ready state (close to deployment with low volatility) to maintain this estimated timeline per our SOP: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Hi @bd808 - thank you for submitting this early! We will review in our call tomorrow and be in touch with any questions or concerns we have about getting you in queue.

Hi @AnneT -as we mentioned in our call, we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience, and please feel free to reach out at any time!

Hi @AnneT - we're in the process of finalizing our queue for Q3 and we're wondering if you can let us know how close this is to production ready/what your timeline is? Thank you!

Hi @Jdlrobson - we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter, and will do our best to meet your target deployment date: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience as we work through this, and please feel free to reach out at any time!

Hi @CKoerner_WMF - we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience as we work through this, and please feel free to reach out at any time!

@DannyS712 I've just spoken with @Reedy and at this point "by the end of the quarter" is what we are in a position to commit to. We appreciate that the grant was scheduled for the end of November, but I'm afraid we are still limited by pandemic resourcing, such as it is.

@Aklapper what magic did you work? I just got 5 verification emails :)

Thanks so much for working on this. When you get to step #5 above - where you receive an email to the new address? I never get that email.

@JTannerWMF - we've taken a look and would appreciate it if you would fill out the Security Readiness Review form. Thanks!

@Aklapper I am seeing both -ctr as primary and jcross as added but needing verification. I've clicked "verify" several times over several days and never received anything.

Hi @nnikkhoui - we were told that you are the new contact for both this ticket and https://phabricator.wikimedia.org/T257734. We're wondering if there are any changes we need to know about and whether you have a new deployment timeline? Thanks so much.

Hi @CKoerner_WMF - we just wanted to touch base as this is noted as a November target deployment date. With all of the holidays this month and a somewhat reduced capacity, we are looking to complete this towards the end of the month. We hope that works for your timeline?

HI @MusikAnimal - we've had a few bumps in the road recently and we do plan to complete it this quarter. We'll be in touch with any questions or concerns and we apologize for the delay.

Hi @Tchanders - we've moved this ticket to In Progress and I believe we are planning on having feedback for you in the next two weeks. Please let us know if you have any questions as we move forward. Thanks!

Hey @WDoranWMF - this looks good and we hope to get it assigned shortly.

@Niharika this is currently stalled and we will have a more complete update soon.

@Lokal_Profil Thank you, sorry we missed that.

Hey @WDoranWMF Is the extension in a stable reviewable state?

@Lokal_Profil There are a few processes we are unable to find evidence of having been followed, and we'd be happy to provide those if you'd like - but it's largely the issue of there being no path to production that will necessitate us prioritizing this review as "Low". We simply do not have the resources to spend on reviews that do not have support plans already in place. This does not mean that we are declining, but that reviews with a support plan in place will always be worked on first. Please let us know if anything changes and we will reconsider priority.

@Lokal_Profil - This still isn't ready for review because there are still too many unanswered questions in the task. Is there any maintenance plan with a group at WMF or a long term roadmap or support plan?

Hi @dbarratt - we'd appreciate it if you could please provide all of the information requested on our RFS form located here: https://phabricator.wikimedia.org/maniphest/task/edit/form/79/ We are here to answer any questions and additional information regarding our process is available here: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Patch is merged, moving to Back Orders so that we can schedule on Wed. call. Apologies for delay, I've been out.