Parent5446 (Tyler Romeo)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Oct 7 2014, 4:17 PM (217 w, 6 d)
Availability
Available
IRC Nick
parent5446
LDAP User
Parent5446
MediaWiki User
Parent5446 [ Global Accounts ]

Recent Activity

Nov 11 2018

Liuxinyu970226 awarded T100373: U2F integration for Extension:OATHAuth a Like token.
Nov 11 2018, 6:52 AM · MediaWiki-extensions-OATHAuth

Nov 5 2018

Capankajsmilyo awarded T60425: Mobile site does not automatically redirect to desktop version (and not possible to use browser "use desktop view") a Burninate token.
Nov 5 2018, 4:21 PM · Puppet, User-Jdlrobson, Readers-Web-Backlog (Tracking), MobileFrontend
Capankajsmilyo awarded T60425: Mobile site does not automatically redirect to desktop version (and not possible to use browser "use desktop view") a Love token.
Nov 5 2018, 4:21 PM · Puppet, User-Jdlrobson, Readers-Web-Backlog (Tracking), MobileFrontend

Oct 2 2018

jhsoby awarded T60425: Mobile site does not automatically redirect to desktop version (and not possible to use browser "use desktop view") a Love token.
Oct 2 2018, 12:04 AM · Puppet, User-Jdlrobson, Readers-Web-Backlog (Tracking), MobileFrontend

Jun 9 2018

Tgr awarded T48148: Allow hiding of non-discussion comments in Gerrit a Love token.
Jun 9 2018, 6:10 PM · Zuul, Gerrit

May 19 2018

Krenair awarded T60425: Mobile site does not automatically redirect to desktop version (and not possible to use browser "use desktop view") a Burninate token.
May 19 2018, 8:14 PM · Puppet, User-Jdlrobson, Readers-Web-Backlog (Tracking), MobileFrontend

Feb 20 2017

Parent5446 created T158604: Investigate usefulness of SameSite cookies for logged-in accounts.
Feb 20 2017, 9:23 PM · Security, Operations, Traffic, Security-Core, MediaWiki-Authentication-and-authorization

Feb 16 2017

Parent5446 added a comment to T158153: Consider changing OATH scratch tokens to use six digits.

In scenario 2, the probabilities are exclusive and you can just add them together so the attacker's chance of success is 1E-6 * 1E4 = 0.01, exactly the same. (Actually very slightly larger but the difference starts at the fifth digit after the decimal point.)

Feb 16 2017, 7:38 AM · MediaWiki-extensions-OATHAuth
Parent5446 added a comment to T158153: Consider changing OATH scratch tokens to use six digits.

An attacker can already launch a year-long attack on the normal (non-scratch) tokens. That they change periodically does not protect against that at all.

Feb 16 2017, 3:06 AM · MediaWiki-extensions-OATHAuth

Feb 15 2017

Parent5446 added a comment to T158153: Consider changing OATH scratch tokens to use six digits.

Whether the number to hit changes every once in a while or not makes no difference whatsoever when you are guessing randomly. For a small number of guesses that's a negligible difference.

Feb 15 2017, 10:29 PM · MediaWiki-extensions-OATHAuth
Parent5446 added a comment to T158153: Consider changing OATH scratch tokens to use six digits.

Note that the scratch tokens operate under a different attack scenario than TOTP codes, and thus they cannot be the same format.

The task description already explains why that difference is negligible (a factor or of two at most).

Feb 15 2017, 9:13 PM · MediaWiki-extensions-OATHAuth
Parent5446 added a comment to T158153: Consider changing OATH scratch tokens to use six digits.

Note that the scratch tokens operate under a different attack scenario than TOTP codes, and thus they cannot be the same format.

Feb 15 2017, 8:42 PM · MediaWiki-extensions-OATHAuth

Feb 9 2017

Parent5446 merged T157746: Require two-factor authentication for certain user groups into T150562: Be able to force OATHAuth for certain user groups.
Feb 9 2017, 10:45 PM · Patch-For-Review, Security, Trust-and-Safety, Stewards-and-global-tools, MediaWiki-extensions-OATHAuth
Parent5446 merged task T157746: Require two-factor authentication for certain user groups into T150562: Be able to force OATHAuth for certain user groups.
Feb 9 2017, 10:45 PM · MediaWiki-extensions-OATHAuth

Jan 2 2017

Parent5446 added a comment to T5311: Automatic category redirects.

@Parent5446 this task has been assigned to you. Do you plan on working on this or mentoring this for the upcoming Outreachy-13 round?

Jan 2 2017, 4:24 AM · Community-Wishlist-Survey-2016, Contributors-Team, Patch-For-Review, Performance, MediaWiki-Categories

Jan 1 2017

Liuxinyu970226 awarded T5311: Automatic category redirects a Like token.
Jan 1 2017, 3:12 AM · Community-Wishlist-Survey-2016, Contributors-Team, Patch-For-Review, Performance, MediaWiki-Categories

Dec 26 2016

Parent5446 moved T151738: OATH code field should show numeric keyboard on mobile devices from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.
Dec 26 2016, 8:30 PM · Mobile, Accessibility, MediaWiki-extensions-OATHAuth
Parent5446 merged T154135: Unable to login to mobile app with 2FA enabled into T150900: [Android] Allow users to log in with 2FA in the app.
Dec 26 2016, 8:27 PM · Wikipedia-Android-App-Backlog (Android-app-release-v2.6.19x-Bermuda🌴), Patch-For-Review, Android-app-Bugs, Mobile
Parent5446 merged task T154135: Unable to login to mobile app with 2FA enabled into T150900: [Android] Allow users to log in with 2FA in the app.
Dec 26 2016, 8:27 PM · Wikipedia-Android-App-Backlog, User-Urbanecm, MediaWiki-extensions-OATHAuth

Dec 19 2016

Parent5446 added a comment to T153691: Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process.

This of course is equivalent to exposing whether or not the user has OATH enabled, since an attacker could just use a dummy password and then see if they get an OATH prompt.

Dec 19 2016, 8:45 PM · Security, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OATHAuth
Parent5446 added a comment to T153691: Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process.

Note that this was achieved in https://gerrit.wikimedia.org/r/280672, so maybe this is more a bug with AuthManager than it is this extension?

Dec 19 2016, 5:53 PM · Security, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OATHAuth

Dec 13 2016

Parent5446 added a comment to T152926: Set channel cmode +S for wikimedia private IRC-Channels.

Also, does this task need to be private? Anyone can look up channel modes.

Dec 13 2016, 6:03 PM · Privacy, Security

Nov 17 2016

Parent5446 added a comment to T150947: Allow users enabling OATH to create a cryptographic scheme (committed identity) for identification and account recovery.

I'm tempted to decline this, but maybe others feel differently.

Nov 17 2016, 6:20 PM · Security-General, Security-Team, MediaWiki-extensions-OATHAuth, Security

Nov 13 2016

Parent5446 moved T150564: Improve/Clarify OATHAuth messages from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.
Nov 13 2016, 7:22 AM · I18n, MediaWiki-extensions-OATHAuth
Parent5446 moved T150587: 2FA recovery codes go on to 2 pages when printed. from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.
Nov 13 2016, 7:22 AM · MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), MediaWiki-extensions-OATHAuth
Parent5446 closed T150596: OATHAuth extension should declare the issuer name when setting up 2FA as Resolved.
Nov 13 2016, 7:21 AM · MW-1.29-release (WMF-deploy-2016-11-15_(1.29.0-wmf.3)), Patch-For-Review, User-Hydriz, goodfirstbug, MediaWiki-extensions-OATHAuth

Nov 12 2016

Parent5446 added a comment to T55192: Merge Extension:TwoFactorAuthentication into Extension:OATHAuth.

It should be just that. I filed a bug for every difference between the two at the time.

Nov 12 2016, 3:11 AM · Goal, MediaWiki-extensions-TwoFactorAuthentication, Technical-Debt, MediaWiki-extensions-OATHAuth
Parent5446 added a subtask for T150565: Support physical OATH/OTP devices: T100373: U2F integration for Extension:OATHAuth.
Nov 12 2016, 3:10 AM · MediaWiki-extensions-OATHAuth
Parent5446 added a parent task for T100373: U2F integration for Extension:OATHAuth: T150565: Support physical OATH/OTP devices.
Nov 12 2016, 3:10 AM · MediaWiki-extensions-OATHAuth

Oct 12 2016

Parent5446 updated subscribers of T131788: Users should be notified when only two scratch tokens are left.

Should there also be a way to generate a new set of recovery tokens, or is the "fix" for that to disable and then re-enable OATH?

Oct 12 2016, 3:40 AM · Growth-Team, Collaboration-Team-Triage, Notifications, MediaWiki-extensions-OATHAuth
Parent5446 added a comment to T147901: Add variable to represent group of wikis, rather than using $wgDBname.

Is there some sense of a global site group name in CentralAuth? If there isn't then we should just have a config variable for this extension, rather than forcing the string "Wikimedia".

Oct 12 2016, 3:24 AM · MediaWiki-extensions-OATHAuth

Oct 4 2016

Parent5446 added a comment to T5233: Send a cookie with each block.

I'd remove it. I really do not remember why I added it, and if I added it because of people accidentally blocking themselves...well that was a stupid reason. If people want to block themselves, maybe it's for the best anyway.

Oct 4 2016, 3:25 AM · MW-1.29-release-notes, Community-Tech, User-notice, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-User-management

Sep 21 2016

Jdforrester-WMF awarded T5233: Send a cookie with each block a Like token.
Sep 21 2016, 12:34 AM · MW-1.29-release-notes, Community-Tech, User-notice, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-User-management

Aug 13 2016

Parent5446 added a watcher for Repository-Ownership-Requests: Parent5446.
Aug 13 2016, 7:40 PM

Jun 22 2016

Parent5446 closed T130493: Message is 5.7.1 not RFC 5322 compliant as Resolved.
Jun 22 2016, 8:40 PM · Patch-For-Review, MediaWiki-extensions-Mailgun

Jun 3 2016

Parent5446 moved T136988: QR code displayed inconsistently from Backlog to Need for Deployment on the MediaWiki-extensions-OATHAuth board.
Jun 3 2016, 9:46 PM · MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), MW-1.28-release (WMF-deploy-2016-06-14_(1.28.0-wmf.6)), MW-1.28-release (WMF-deploy-2016-06-28_(1.28.0-wmf.8)), Patch-For-Review, MediaWiki-extensions-OATHAuth
Parent5446 moved T136989: Enabling two-factor authentication disrupts SUL behavior from Backlog to Need for Deployment on the MediaWiki-extensions-OATHAuth board.
Jun 3 2016, 9:46 PM · MediaWiki-extensions-OATHAuth
Parent5446 moved T124445: Design research support for two step authentication from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.
Jun 3 2016, 9:46 PM · Security-team-backlog, MediaWiki-extensions-OATHAuth
Parent5446 moved T131789: Survey how other web properties using 2FA handle token/account reset from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.
Jun 3 2016, 9:45 PM · MediaWiki-extensions-OATHAuth
Parent5446 moved T136383: Conduct usability survey of full two-factor authentication experience from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.
Jun 3 2016, 9:45 PM · MediaWiki-extensions-OATHAuth
Parent5446 moved T100375: Improve user experience of Two-Factor process from In Progress to User Experience on the MediaWiki-extensions-OATHAuth board.
Jun 3 2016, 9:45 PM · Security-team-backlog, MediaWiki-extensions-OATHAuth
Parent5446 added a comment to T136988: QR code displayed inconsistently.

Is there a scenario in which this can be reproduced? Or is it seemingly random?

Jun 3 2016, 9:44 PM · MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), MW-1.28-release (WMF-deploy-2016-06-14_(1.28.0-wmf.6)), MW-1.28-release (WMF-deploy-2016-06-28_(1.28.0-wmf.8)), Patch-For-Review, MediaWiki-extensions-OATHAuth

May 27 2016

Parent5446 added a comment to T131359: Special:OATH QR-code mangles accents.

I will check it out, although there's a strong possibility this was another bug caused by the lack of URI encoding. I will investigate and report back here.

May 27 2016, 4:55 AM · MediaWiki-extensions-OATHAuth

May 26 2016

Parent5446 added a comment to T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.

I've lost track of exactly what features AuthManager supports, but does it allow storing of arbitrary user authentication metadata? Because then once Extension:OATHAuth is converted to use AuthManager, we can just have the authentication provider store and fetch the secret from the generic backend interface.

May 26 2016, 9:14 PM · MediaWiki-extensions-OATHAuth, Cloud-Services

May 24 2016

Parent5446 closed T134101: Community Bonding Period evaluation for Implementing HTML E-Mail support for MediaWiki as Resolved.
May 24 2016, 1:40 PM · MediaWiki-Email
Parent5446 closed T134101: Community Bonding Period evaluation for Implementing HTML E-Mail support for MediaWiki, a subtask of T130490: GSoC/Outreachy proposal for Implementing HTML E-Mail support in MediaWiki, as Resolved.
May 24 2016, 1:40 PM · Outreachy-Round-12, Google-Summer-of-Code (2016), MediaWiki-Email
Parent5446 closed T134101: Community Bonding Period evaluation for Implementing HTML E-Mail support for MediaWiki, a subtask of T133647: Community Bonding Period evaluation of GSoC 2016 projects (tracking), as Resolved.
May 24 2016, 1:40 PM · Google-Summer-of-Code-2016-Organization, Tracking, Google-Summer-of-Code (2016)

May 2 2016

Qgil awarded T132017: Throttle for newsletter announcements a Love token.
May 2 2016, 7:59 AM · Patch-For-Review, MediaWiki-extensions-Newsletter

Apr 19 2016

Qgil awarded T132019: Add table prefix to sub-queries in NewsletterTablePager a Yellow Medal token.
Apr 19 2016, 8:11 AM · Patch-For-Review, MediaWiki-extensions-Newsletter

Apr 10 2016

Parent5446 closed T31856: Email notification to old address when verified email address is changed or removed as Resolved.
Apr 10 2016, 5:32 AM · MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)), MW-1.27-release-notes, Patch-For-Review, MediaWiki-Email

Apr 7 2016

Parent5446 added subtasks for T115095: Security review of Newsletter extension: T132016: Add CheckUser integration to Extension:Newsletter, T132017: Throttle for newsletter announcements, T132018: Add newsletter description to log messages, T132019: Add table prefix to sub-queries in NewsletterTablePager, T132022: Add AbuseFilter integration to Extension:Newsletter.
Apr 7 2016, 4:54 AM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Parent5446 added a parent task for T132017: Throttle for newsletter announcements: T115095: Security review of Newsletter extension.
Apr 7 2016, 4:54 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 added a parent task for T132016: Add CheckUser integration to Extension:Newsletter: T115095: Security review of Newsletter extension.
Apr 7 2016, 4:54 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 added a parent task for T132019: Add table prefix to sub-queries in NewsletterTablePager: T115095: Security review of Newsletter extension.
Apr 7 2016, 4:54 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 added a parent task for T132018: Add newsletter description to log messages: T115095: Security review of Newsletter extension.
Apr 7 2016, 4:54 AM · MediaWiki-extensions-Newsletter, Patch-For-Review
Parent5446 added a parent task for T132022: Add AbuseFilter integration to Extension:Newsletter: T115095: Security review of Newsletter extension.
Apr 7 2016, 4:54 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 created T132022: Add AbuseFilter integration to Extension:Newsletter.
Apr 7 2016, 4:54 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 created T132019: Add table prefix to sub-queries in NewsletterTablePager.
Apr 7 2016, 4:44 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 created T132018: Add newsletter description to log messages.
Apr 7 2016, 4:42 AM · MediaWiki-extensions-Newsletter, Patch-For-Review
Parent5446 created T132017: Throttle for newsletter announcements.
Apr 7 2016, 4:39 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 created T132016: Add CheckUser integration to Extension:Newsletter.
Apr 7 2016, 4:38 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Parent5446 added a comment to T115095: Security review of Newsletter extension.

I am going to make separate tasks for some of the feedback.

Apr 7 2016, 4:27 AM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter

Apr 4 2016

Parent5446 added a comment to T131789: Survey how other web properties using 2FA handle token/account reset.
  • Google: They allow login if you have one of any two-factors available (i.e., they support SMS and phone call as alternatives to TOTP). Additionally, when logging in with 2FA, Google allows you to mark a computer as "trusted". You can use a trusted computer that is still logged in to disable 2FA. Otherwise, you need to file an account recovery form, which Google responds to manually after a few business days. Things they ask on the form (I presume they have a further protocol beyond submission of the form, probably involving submission of government ID):
    • The date you created your account and the date you last accessed it (required)
    • Your security question, if enabled (optional, even if the question is enabled)
    • Up to five email addresses you frequently contact and up to five Gmail labels you created (optional)
    • Your first recovery email address (optional)
    • Other Google products you use and approximately when you started using them (optional)
    • An explanation of how you lost access to your account
    • Contact information for sending the password reset
  • Facebook: Submission of a government ID, or (strangely) you can take a picture of yourself holding a code that Facebook gives you.
  • GitHub, Apple, and Dropbox: Does not offer account recovery at all. You either need a phone with SMS for backup, or another backup token of some sort. If you lose all of your 2FA, you have lost access to your account permanently.
  • LastPass: They allow removal of 2FA from the account by just sending a confirmation email to the primary account email. If you lost access to your primary email, I am not sure what options are available.
  • Amazon Web Services: You have to file a support ticket to remove 2FA, after which they call you on the phone and ask for some trivial verification information (such as your credit card number on file).
Apr 4 2016, 8:36 PM · MediaWiki-extensions-OATHAuth

Apr 3 2016

Parent5446 added a comment to T15303: Implement HTML e-mail support in MediaWiki.
  1. Have a single i18n message in plain text and then convert the message to HTML when needed. (This is the method @Galorefitz describes in T130490).

@Parent5446 I actually proposed the second method in my proposal, not the first, i.e.,

Apr 3 2016, 12:24 PM · Outreach-Programs-Projects, Patch-For-Review, MediaWiki-Email
Qgil awarded T110552: Implement logging in Newsletter a Love token.
Apr 3 2016, 7:48 AM · Patch-For-Review, Wikimedia-Hackathon-2016, MediaWiki-extensions-Newsletter
Parent5446 updated subscribers of T15303: Implement HTML e-mail support in MediaWiki.

As a quick note for both this task in general and for @rosalieper and @Galorefitz, we spoke with @siebrand yesterday, and asked him about the two approaches for this task, i.e.:

Apr 3 2016, 7:19 AM · Outreach-Programs-Projects, Patch-For-Review, MediaWiki-Email

Apr 2 2016

Parent5446 added a comment to T131616: Cap the number of active newsletters per user.

To reduce the attack surface. If it's not limited you could just create a million of them and ruin the feature for everybody by making Special:Newsletters time out.

Apr 2 2016, 4:40 PM · Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Parent5446 placed T131616: Cap the number of active newsletters per user up for grabs.

Weird, I don't remember claiming this in Phabricator. Although I can work on it if @01tonythomas wants.

Apr 2 2016, 2:58 PM · Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Parent5446 added a comment to T131616: Cap the number of active newsletters per user.

The only interesting question about this is: what about users who are added as publishers to other newsletters by other people? Do we block a user from being added as a publisher when they reach the limit, or do we only block the creation of new newsletters?

Apr 2 2016, 2:56 PM · Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Parent5446 claimed T131616: Cap the number of active newsletters per user.
Apr 2 2016, 2:54 PM · Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Parent5446 moved T131616: Cap the number of active newsletters per user from Backlog to Feature complete on the MediaWiki-extensions-Newsletter board.
Apr 2 2016, 2:54 PM · Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Parent5446 added a comment to T110552: Implement logging in Newsletter.

Yep I believe so, unless there are other logging actions we wanted implemented.

Apr 2 2016, 2:21 PM · Patch-For-Review, Wikimedia-Hackathon-2016, MediaWiki-extensions-Newsletter

Apr 1 2016

Parent5446 created T131509: GroupElement infinitely recurses when there are zero members and you try to add one.
Apr 1 2016, 2:42 PM · MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)), Wikimedia-Hackathon-2016, OOUI (OOjs-UI-0.16.5)
Parent5446 added a comment to T131445: 2FA seems to be broken on wmf.19.

Literally the only place that error message is used is in the AbortChangePassword hook...

Apr 1 2016, 9:33 AM · Wikimedia-Hackathon-2016, MW-1.27-release (WMF-deploy-2016-04-05_(1.27.0-wmf.20)), MW-1.27-release (WMF-deploy-2016-03-29_(1.27.0-wmf.19)), wikitech.wikimedia.org, MediaWiki-extensions-OATHAuth, Cloud-Services
Parent5446 added a comment to T131445: 2FA seems to be broken on wmf.19.

@Reedy Just so I know all the details, were you logged in already? And I presume your account has 2FA enabled on it?

Apr 1 2016, 9:16 AM · Wikimedia-Hackathon-2016, MW-1.27-release (WMF-deploy-2016-04-05_(1.27.0-wmf.20)), MW-1.27-release (WMF-deploy-2016-03-29_(1.27.0-wmf.19)), wikitech.wikimedia.org, MediaWiki-extensions-OATHAuth, Cloud-Services
Parent5446 added a comment to T131445: 2FA seems to be broken on wmf.19.

@Reedy I cannot seem to reproduce this locally. Could you provide some reproduction steps? I've tried visiting Special:Userrights and other restricted pages while logged in and it did not bother me. All other functionality seemed to be working as expected.

Apr 1 2016, 9:14 AM · Wikimedia-Hackathon-2016, MW-1.27-release (WMF-deploy-2016-04-05_(1.27.0-wmf.20)), MW-1.27-release (WMF-deploy-2016-03-29_(1.27.0-wmf.19)), wikitech.wikimedia.org, MediaWiki-extensions-OATHAuth, Cloud-Services

Feb 24 2016

Parent5446 added a comment to T128017: Outreachy Proposal for T1503: Implement HTML e-mail support in MediaWiki.

Macro votecat:

Feb 24 2016, 9:33 PM · Outreachy-Round-12, MediaWiki-Email

Jan 9 2016

Parent5446 changed the visibility for T123147: Wikipedia.com warns about bad certificate.
Jan 9 2016, 12:18 AM · Security, Operations
Parent5446 changed the visibility for T123147: Wikipedia.com warns about bad certificate.
Jan 9 2016, 12:17 AM · Security, Operations
Parent5446 added a comment to T123147: Wikipedia.com warns about bad certificate.

Making public since the main bug this is a duplicate of is already public.

Jan 9 2016, 12:17 AM · Security, Operations
Parent5446 updated subscribers of T42998: https://wikipedia.com and similar throw certificate warning.
Jan 9 2016, 12:16 AM · Traffic, Operations, HTTPS
Parent5446 merged task T123147: Wikipedia.com warns about bad certificate into T42998: https://wikipedia.com and similar throw certificate warning.
Jan 9 2016, 12:16 AM · Security, Operations
Parent5446 added a comment to T123147: Wikipedia.com warns about bad certificate.

For some reason "wikipedia.com", and probably any other redirect domains the WMF owns, are not alt names on the certificate.

Jan 9 2016, 12:15 AM · Security, Operations
Parent5446 added a comment to T123147: Wikipedia.com warns about bad certificate.

I have confirmed this in Chrome and Firefox. No warnings in Safari.

Jan 9 2016, 12:09 AM · Security, Operations

Jan 7 2016

Parent5446 added a comment to T5348: Passwords should be checked for strength before being set.

Some related tasks: T46788, T18435, T32574, T19544

Jan 7 2016, 12:03 AM · MediaWiki-User-login-and-signup
Parent5446 added a comment to T5348: Passwords should be checked for strength before being set.

I think this bug can probably be closed since the technical requirements have been fulfilled. However, I still think we should actually apply a specific strong policy to accounts.

Jan 7 2016, 12:02 AM · MediaWiki-User-login-and-signup

Nov 19 2015

Dalba awarded T5233: Send a cookie with each block a Mountain of Wealth token.
Nov 19 2015, 7:29 AM · MW-1.29-release-notes, Community-Tech, User-notice, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-User-management

Nov 7 2015

Parent5446 updated subscribers of T117686: Select participants for Outreachy round 11 by 2015-11-11.

@01tonythomas Just want to clarify. Should we as the mentors be rating these projects right now in the Outreachy application? And if so do we need to alter the Contribution status as well?

Nov 7 2015, 11:47 AM · Outreachy-Round-11, DevRel-November-2015

Oct 28 2015

Parent5446 added a comment to T15303: Implement HTML e-mail support in MediaWiki.

I do not think @VitaliyFilippov's patches and the Outreachy project are mutually exclusive. First, I want to echo @Aklapper and just say thanks to @VitaliyFilippov. Patches are always welcome, and save us a bit of work!

Oct 28 2015, 10:02 PM · Outreach-Programs-Projects, Patch-For-Review, MediaWiki-Email

Oct 26 2015

Parent5446 created T116641: Removal of 2FA for Parent5446.
Oct 26 2015, 6:46 PM · Phabricator

Sep 9 2015

Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT0bbfef8c5aed: Updated mediawiki/extensions Project: mediawiki/extensions/Babel… (authored by Parent5446).
Updated mediawiki/extensions Project: mediawiki/extensions/Babel…
Sep 9 2015, 6:16 AM

Sep 4 2015

Parent5446 added a comment to T5233: Send a cookie with each block.

Just to clarify, that is completely false (in regards to the cookie being "malware").

Sep 4 2015, 5:12 AM · MW-1.29-release-notes, Community-Tech, User-notice, Trust-and-Safety, MediaWiki-Authentication-and-authorization, MediaWiki-User-management

Aug 25 2015

Parent5446 added a comment to T109140: Special:UserLogin?returnto=interwiki:foo will redirect to external sites.

My only concern with this would be if there are any remaining browsers that preserve the HTTP method with 302 response codes. IE will only do so with non-POST/HEAD methods like DELETE and PUT, so there's nothing to worry about there.

Aug 25 2015, 7:08 AM · Patch-For-Review, Security, Privacy, MediaWiki-User-login-and-signup

Aug 11 2015

Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT470f76065ca8: Updated mediawiki/extensions Project… (authored by Parent5446).
Updated mediawiki/extensions Project…
Aug 11 2015, 7:02 PM

Aug 4 2015

Parent5446 removed a project from T105781: Extension to use Mailgun API to send emails : Patch-For-Review.
Aug 4 2015, 6:20 PM · MediaWiki-extension-requests
Parent5446 closed T105781: Extension to use Mailgun API to send emails as Resolved.
Aug 4 2015, 6:20 PM · MediaWiki-extension-requests

Jul 23 2015

Parent5446 updated subscribers of T807: Investigate javascript library management options.
Jul 23 2015, 2:50 AM · User-bd808, Librarization

Jul 1 2015

Parent5446 added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.

I agree that we should continue to have messages not be raw HTML, but that is a more general issue, and it does not really justify having an individual bug for every message that needs to be parse-ified.

Jul 1 2015, 3:16 AM · MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General-or-Unknown, Security
Parent5446 added a comment to T45646: "MediaWiki:Copyright" message allows raw HTML.

Is there any consensus about whether a fix for this needs to be made (i.e., throw it through the parser and make a workaround for the little things)? Or can we close it as invalid considering, as has been noted, this is the least of our concerns with admin powers.

Jul 1 2015, 2:26 AM · MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Vuln-XSS, MediaWiki-General-or-Unknown, Security

Jun 25 2015

Parent5446 added a comment to T100924: Split MWTimestamp into a separate library.

Mhm, I agree. Just wanted to make sure. The interface you posted looks good. I'm assuming the intention is to make it a value object. Should we have transformation functions? Like ->add( Timestamp $other ), which returns a new Timestamp?

Jun 25 2015, 8:11 PM · MW-1.29-release-notes, MediaWiki-General-or-Unknown, Librarization