Hi @CCicalese_WMF - I just wanted to send a quick reminder that, per our SOP, we do need a minimum of 30 days prior to a desired deployment date in order to properly resource and perform a Readiness Review.

Hi @CCicalese_WMF - thanks for the update. We'll take a look and please note that at least for deploy, our guidelines require that it is on Gerrit. We'll be in contact as our review proceeds.

Hi @Tgr - it does appear to need a re-review. We are putting in our backlog and unassigning until someone can pick it up. We're doing our best but have limited resource hours right now, so please let us know if you have any questions or concerns and we'll be in touch as we move forward. Thanks!

Hi there @Pchelolo - we were able to take a look at this in our clinic meeting today and have noted that you are aiming for an April 30th deployment date. While we don't currently see any issues with that date, please keep in mind that our ability to review in a timely fashion is subject to change (due to world pandemic chaos, and team members being affected, etc). Please let us know of any questions or concerns and we will be in touch as we move forward.

We are declining this ticket as it has been almost four years since last comment. Should new work be required please create a new ticket. Thank you!

We are declining this ticket as it has been 2+ years since last comment. Should new work be required please create a new ticket. Thank you!

We are declining this ticket as it has been almost three years since last comment. Should new work be required please create a new ticket. Thank you!

Hi @CCicalese_WMF and @WDoranWMF ,

There is no code to review or RFC at this time and we are unable to move forward until they exist. At this time we can and will move forward with the minishlink/web-push review: https://phabricator.wikimedia.org/T246714

Initial thoughts / starting point:
Team level:

Didn't get to this with JB today but it is on the radar and I have a short list going. Will touch base with him about it again soon.

Marking declined as there is no actionable work at this time. Please open a new ticket when / if work is needed on this in the future.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is needed here. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Hi @Legoktm ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is needed here. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Hi @TheDJ ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Hi @Yamaha5 ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Hi @ggellerman ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Thank you, @Yurik ! Cheers

Hi @Yurivict ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly. Thank you!

Hi @Yurik ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

The original author is disabled and significant time has passed, so we will decline this work for the time being.

Language updated and will continue to monitor and adjust.

Hi @AMuigai - do you have a specific stop date / date we could begin review yet? Our process is frozen so long as commits are frequently being made. Alternatively, if you could choose a specific commit we could begin reviewing at that point with the understanding that we would *only* be reviewing to that point and further commits would not be included in our assessment.

We've determined that the expectation of "30 days" as a timeframe will only apply once the team has received everything needed to move forward and as long as nothing occurs to hamper / restart our review process. This could include changes to code, which would restart the 30 day timer. I'll look at precise phrasing of this for Readiness reviews, and it will not apply to Concept reviews.

@JTannerWMF We expect this to be in progress shortly and @sbassett will be in touch with any questions or concerns.

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.

Closing per email conversation with @bcampbell in OIT- this is an old ticket that no longer requires work from the Security-Team.

Will review with @JBennett and AppSec team and plan on updating before 1/27/20

Regretfully, this ticket was outside of the team workflow thus your requests for review were not seen or acted upon by the Security Team in a timely fashion. We apologize for the confusion, as we are working hard to improve and evolve our processes. For future reference, tagging Security is not considered a request for service from the Security Team and following our SOP will ensure our prompt attention to your needs. Thank you - and again, we apologize for the confusion. We are adding our Security-Team tag and will take a look during our next clinic meeting.

Massaged a bit @chasemp but @JBennett is going to look as well. https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services has been updated.

@chasemp - talked to JB and we are good to run with just this as a first iteration / attempt at metrics. This list looks accurate (ish) for team names? https://office.wikimedia.org/wiki/Contact_list

Hi @CCicalese_WMF - apologies, I'm out of the office. Do you have a date you're aiming for? Let me know and we'll try and get someone on it fairly quickly.

Hi @CCicalese_WMF - can you please let us know if this is the only patch set you'd like us to look at? https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OAuth/+/550847/

We are waiting decisions from the Frontend working group and declining until the direction being taken is more clear.

Happy @sbassett could help, and as he mentioned we'll be adding more and refining in the near future. Cheers :)

Excellent news @JTannerWMF - James is on it and we should have an update for you soon.

Hi @JTannerWMF - we've taken a look at this and once WMF-Legal has wrapped up their review we should only need a few days at most.

Hi @JTannerWMF, @sbassett beat me to the punch! We'll make a point of reviewing on Monday at our triage meeting and I'll be sure to touch base with you when we know what our timeline will look like.

As an initial approach to get better visibility around security issues for bundled and deployed extensions, we plan to send this supplementary announcement: https://phabricator.wikimedia.org/T232113

There is nothing in the repo and we do not know what plans Chase had / has for this. We will move to our "watching" column for the time being.

Upon review, Security Team is untagging as we will not be working on this ticket.

Upon review, Security Team is untagging as we will not be working on this ticket.