In T199118#4808463, @Leaderboard wrote:

Not in favour of this change, considering the potential issues with 2FA (5 scratch codes that're displayed one-time? That's too little).

In T131788#4808465, @Leaderboard wrote:

A better solution is for MW to just list out the remaining scratch codes left.

Reward who? How? With what? Why?

Based on https://github.com/bjeavons/zxcvbn-php/pull/32 (seems a mismatch with the dropbox js version as detailed in https://github.com/bjeavons/zxcvbn-php/issues/15 ) the upstream might not be very active, and it has actually been forked... https://github.com/mkopinsky/zxcvbn-php and https://packagist.org/packages/mkopinsky/zxcvbn-php

It's because it's something added in wmf-config

In T200391#4807816, @Xaosflux wrote:

Can a batch fix of moving them all to Project/Project_talk just be done?

In T200391#4807778, @Wbm1058 wrote:

Might be best to discuss this on wiki as any mass solution will likely require a bot, needing approval at WP:BRFA

In T207432#4807188, @JJMC89 wrote:

I stand corrected. It looks like 405531 only created the messages for the tag but the tag isn't enabled. @Reedy Is is possible to automatically enable the tag of all WMF projects?

I guess it's very much a "no silver bullet" thing. Why Facebook, Google et al offer so many different options

There are "desktop" 2FA apps... I wonder if we should do a bit more research into them. Stuff that's desktop apps, browser extensions... that can also do 2FA code generations

In T150902#4806653, @Tgr wrote:

I imagine it's also more complex legally

In T150902#4806653, @Tgr wrote:

I don't want to downplay the potential problems with this (I imagine it's also more complex legally), OTOH if we want all admins to use 2FA (do we? I personally don't see the point but I think I saw it mentioned somewhere) it might be the only realistic opion.

https://blog.vasco.com/authentication/sms-authentication/ "NIST Softens Guidance on SMS Authentication" (about a year later)

In T211420#4806434, @MarcoAurelio wrote:

Do we have a way to commit more than 10 patches at once with git review?

In T211420#4805905, @MarcoAurelio wrote:

I'd prefer to revert because those patches should get a proper review IMHO. The revert patches are all now uploaded to gerrit and are waiting for review (they all are submitted together so they should bring the repo back to what it was before adding codesniffer and the fixes).

As discussed on IRC.. If the tests are passing, at this point, it might be less disruptive to just leave the commits, not revert them, don't change the HEAD pointer.... And then at worse make a fix up commit ontop and push it via gerrit

Go forth and fix!

There were already many tasks related to this problem, but all were closed without actually solving the problem: T57559, T136468, T144390, T210384, etc.

Do also note, a script is run at least monthly to recalculate the number of articles, so there can be weird jumps occasionally depending on changes done to a page

In T211363#4805290, @Justinacolmena wrote:

It's nice to have all the dependencies conveniently installed by the package manager, but for something like this that just goes in a web directory, it should be just as easy to install directly via git or unpacking a tarball, except now I remember going back and forth between the web install to tell me about the missing dependencies and the O/S package manager to track them down and actually install them. Quite a number of PHP subpackages, at any rate.

For EducationProgram the extension is undeployed, so for all intents and purposes as you say, you don't need to do anything with it

Isn't this expected behaviour and you just need to json_decode() (in PHP for example) the output

Thanks for the report. Unfortunately MediaWiki 1.29 is unsupported since September 2018. See https://www.mediawiki.org/wiki/Version_lifecycle for more information

What do you think the count should be?

In T166622#4803222, @Liuxinyu970226 wrote:

@Tgr and @Reedy, yep, this task is directly related to the #10 of #community-wishlist-survey-2019: 2FA available for all concerned editors

In T166622#4805023, @Tgr wrote:

In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

We have implementations, but often google type dependencies....

And for your bullet points, we can hopefully grab the little improvements in point releases in the near future

My thinking right now is that we somehow/somewhere declare that Guzzle isn't part of the stable interface, and extensions need to use the MW abstraction layer instead (this seems like a good idea regardless given T202143#4802539). Does that seem reasonable?

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

In T202143#4802539, @Legoktm wrote:

The only minor security thing I noticed was that MediaWiki's HTTP stuff does not follow redirects by default, while Guzzle will follow 5 layers of redirects by default. So as long as everyone continues to use the MediaWiki abstraction layer, the defaults should still be as strict as we want them.

? How long? 10 characters?

Pretty sure it’s waiting for review (from security too)

Making MW have sane defaults and follow best practices doesn't/shouldn't really need much approval. It's trivially easy to disable it people so desire

Easy to fix...

Looks like some possible test failures in core that need addressing, but that's irrelevant to this review

No longer blocked by T202143: Security review for Guzzle 6.3.3

I'm happy for this to go ahead.

So doing some poking around here... We end up with a few extra other libraries, which is fine, just a bit more poking around needed.

In T204477#4749187, @Urbanecm wrote:

@Reedy: Can you create initial bureaucrat user for User:Satdeep_Gill@SUL and send them a password? Thank you!

Sorry for the delay @Raystorm I've been travelling

In T151425#4795744, @TBolliger wrote:

I'm fairly confident the plan is for all new passwords to be outside 100,000. This is based on this permissioned Google Doc authored by @JBennett. It was last edited Nov. 1 so other decisions/discussions may supercede this.

Ping @JBennett! 🛎

In T151425#4795071, @TBolliger wrote:

This appears to be live on production for admins only: https://en.wikipedia.org/wiki/Special:PasswordPolicies

In T210919#4793948, @Ladsgroup wrote:

In T210919#4792673, @Legoktm wrote:

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

That sounds good, is there any chance that CU logs also use the built-in logging too? It reinvents its own logging wheel.

In T210919#4792531, @Krenair wrote:

Are we at least logging this stuff to fluorine/logstash right now?

It's responding like your account is "missing" on testwiki

We currently don't really have a place for logging sensitive stuff like this stuff onwiki (and then replicating to labs adds some complexity). And I don't think it should be public to the masses that a user has disabled 2FA for another user for obvious reasons

That’s what degrade/temp remove means. Make MW do it on the fly, not actually removing the membership

As with all wikis, things take a little time to be processed by the job runners. Changes wouldn't appear immediately, but if they're still not appearing automatically after a reasonable amount of time, there's potentially an issue to look at

We don't use $wgJobRunRate on WMF wikis...

@bd808 per your comment on the other bug...

Reverted due to some monolog (or our additional functions) issues

Same IP going back, 161.30.203.16

In T205710#4780570, @Ooswesthoesbes wrote:

The statistics of the Limburgish Wikinews look like they need updating. It currently says there are 49 pages, while I think that should be more. Can they also be included here?

If there is a button to remove a single item in the list, why not a button for the entire list?

In T151425#4774828, @TBolliger wrote:

Does the patch above just increase the amount of passwords in the library, or does it also enforce 100,000 on account creation?

Unless I’ve missed something... where are we proposing to stop lowercase only passwords?

In T209819#4758709, @bd808 wrote:

This table does not contain any private data and it should be exposed to the replicas.

@dmaza, can you be the person in charge of getting someone from the Security team to validate this claim on this ticket?

Fixed by changing the content model to something else and back again... We get a few of these weird edge cases from time to time

In T151010#4751687, @Bawolff wrote:

This task already is public.

In T209132#4750934, @Whatamidoing-WMF wrote:

@Reedy should know the answer, since he made AWB add tags. :-)

In T209483#4749698, @MF-Warburg wrote:

Another issue: I didn't receive a mail from the newprojects list yesterday, so today I resubscribed, thinking that maybe I had somehow been unsubscribed. I then received a notification that I was already subscribed, and immediately the mail from yesterday arrived. Related?

It errored trying to create them due to T209483: Got connection to 'yuewiktionary', but expected local domain ('aawiktionary').