Tgr (Gergő Tisza)
Software Engineer, WMF Reading

Projects (38)

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Sep 19 2014, 4:55 PM (217 w, 4 d)
Availability
Available
IRC Nick
tgr
LDAP User
Gergő Tisza
MediaWiki User
Tgr (WMF) [ Global Accounts ]

Things my team is working on: Reading-Infrastructure-Team-Backlog (kanban board)
Side projects I am working on (or planning to, eventually): User-Tgr
You can find more info about me on my user page.

Recent Activity

Yesterday

Tgr added a comment to T71237: Use of SVG nominal size in MMV.

If you are an editor i can see that as being interesting, but as a learner I could find that distracting if what I actually wanted to do was select some text which happens to be positioned by the icon.

Tue, Nov 20, 10:24 PM · Google-Code-in-2018, Multimedia, goodfirstbug, MediaWiki-extensions-MultimediaViewer
Tgr added a comment to T209924: Introduce PageTypeHandler.

A pages "type" is determined solely by it's title, regardless of database state.

Tue, Nov 20, 10:18 PM · Core Platform Team Kanban, Core Platform Team (MCR), Multi-Content-Revisions (New Features)
Tgr added a comment to T209923: Surface hidden and "undefined" slots via a single slot view .

The view action expects rendered contentm, and the fallback handler has no knowledge of how to render its content, so it should use the raw action instead.

Tue, Nov 20, 9:22 PM · Core Platform Team (MCR), Core Platform Team Backlog (Next), Wikidata
Tgr updated the task description for T209923: Surface hidden and "undefined" slots via a single slot view .
Tue, Nov 20, 9:21 PM · Core Platform Team (MCR), Core Platform Team Backlog (Next), Wikidata
Tgr removed projects from T128358: Uploading 1.2GB ogv results in 503: Traffic, Operations.

I doubt much can be done about this on the MediaWiki side (other than a better error message) so probably those tools need to switch to async uploading. Vicuna's issue tracker is [https://github.com/yarl/vicuna/issues here], Pywikipedia already has a task (T129216: Pywikibot should support async chunked uploading), couldn't find the place for reporting the other two.

Tue, Nov 20, 9:13 AM · Multimedia, Wikimedia-Video, MediaWiki-Uploading
Tgr added a comment to T128358: Uploading 1.2GB ogv results in 503.

If this really is a Pywikibot problem, it probably helps with prioritization if the relevant project is tagged.

Tue, Nov 20, 12:40 AM · Multimedia, Wikimedia-Video, MediaWiki-Uploading

Mon, Nov 19

Tgr added a comment to T208777: Decide how to factor notification-related methods out of User and Title.

Related: T128351: RfC: Notifications in core

Mon, Nov 19, 10:39 PM · Core Platform Team Backlog (Later), Core Platform Team ( Code Health (TEC13))
Tgr added a project to T208768: Create a PermissionManager service: MediaWiki-Authentication-and-authorization.

Maybe a good time to also fix T180888: All permission checks should be able to return a custom error message?

Mon, Nov 19, 10:38 PM · MediaWiki-Authentication-and-authorization, Core Platform Team Backlog (Later), MediaWiki-User-management, Core Platform Team ( Code Health (TEC13))
Tgr closed T204269: Create unit tests for Reading lists API classes, a subtask of T184544: [EPIC] Write integration tests for ReadingLists extension, as Resolved.
Mon, Nov 19, 5:45 PM · Reading-Infrastructure-Team-Backlog, Test-Coverage, Technical-Debt, Reading List Service
Tgr closed T204269: Create unit tests for Reading lists API classes as Resolved.

Thanks @MSantos!

Mon, Nov 19, 5:45 PM · MW-1.32-notes (WMF-deploy-2018-10-16 (1.32.0-wmf.26)), Reading-Infrastructure-Team-Backlog (Kanban), Test-Coverage, Technical-Debt, Reading List Service
Tgr added a comment to T209224: Analyze effect of huwiki FlaggedRevs configuration change on problematic edits and new user retention.

Registrations:

new registrations, dailyrunning average, 45 daysdiff in running average

(with apologies to everyone who actually knows how to do statistics)

Mon, Nov 19, 8:42 AM · User-Tgr
Tgr added a comment to T209224: Analyze effect of huwiki FlaggedRevs configuration change on problematic edits and new user retention.

@Tgr: Who to analyze this?

Mon, Nov 19, 8:26 AM · User-Tgr
Tgr added a comment to T190707: Creation of tools with wikimedia-related names blocked by global title blacklist.

Just put the exact name into the title whitelist (make sure you use start/end anchors). Or add a blacklist override checkbox in Striker, but I imagine there are more Wikitech admins (or people who can become one if needed) than Striker admins.

Mon, Nov 19, 3:44 AM · Striker
Tgr created T209806: TitleBlacklist should have its own content type.
Mon, Nov 19, 3:43 AM · TitleBlacklist

Sat, Nov 17

Tgr closed T163242: git-review fails with "The requested URL /changes/ was not found on this server." as Resolved.

I'll call this done. (Thanks for the help @Paladox!)

Sat, Nov 17, 12:14 AM · Patch-For-Review, Gerrit, MediaWiki-Vagrant

Fri, Nov 16

Tgr closed T151010: Add logging to OATHAuth as Resolved.
Fri, Nov 16, 6:54 PM · MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Restricted Project, Wikistorm, Patch-For-Review, MediaWiki-extensions-OATHAuth

Thu, Nov 15

Tgr added a comment to T163242: git-review fails with "The requested URL /changes/ was not found on this server.".

On a closer look this is a problem with Vagrant. git-review (in 1.27 at least) uses git config --get remote.origin.url to get the base URL; admin pages on gerrit currently use https://gerrit.wikimedia.org/r/<project> but Vagrant uses https://gerrit.wikimedia.org/r/p/<project> instead (which is apparently the legacy URL, it does work for git clone but confuses git-review).

Thu, Nov 15, 10:10 PM · Patch-For-Review, Gerrit, MediaWiki-Vagrant
Tgr added a comment to T163242: git-review fails with "The requested URL /changes/ was not found on this server.".

I get the same error with 1.26 and even 1.27 (also without vagrant). The error message is different (ValueError: No JSON object could be decoded and a stack trace) but the issue is the same: request goes to https://gerrit.wikimedia.org/r/p/changes/?q=469878&o=CURRENT_REVISION and that just gets redirected to https://gerrit.wikimedia.org/r/#/q/status%3Aopen+project%3Achanges

Thu, Nov 15, 9:49 PM · Patch-For-Review, Gerrit, MediaWiki-Vagrant
Tgr added a comment to T151010: Add logging to OATHAuth.

Eh, sorry. This new task type got me all confused.

Thu, Nov 15, 8:11 PM · MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Restricted Project, Wikistorm, Patch-For-Review, MediaWiki-extensions-OATHAuth
Tgr added a comment to T151010: Add logging to OATHAuth.

Any objections to making this task public? There is nothing sensitive about logging, and private patches tend to linger forever without getting review / getting deployed.

Thu, Nov 15, 8:01 PM · MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Restricted Project, Wikistorm, Patch-For-Review, MediaWiki-extensions-OATHAuth
Tgr edited subtasks for T197160: All security-sensitive MediaWiki functionality should require elevated security, added: Unknown Object (Task); removed: T197156: Creating OAuth owner-only consumers should require elevated security.
Thu, Nov 15, 7:40 PM · Security, User-Tgr, Epic, MediaWiki-Authentication-and-authorization, Security-General
Tgr removed a parent task for T197156: Creating OAuth owner-only consumers should require elevated security: T197160: All security-sensitive MediaWiki functionality should require elevated security.
Thu, Nov 15, 7:40 PM · Security, MediaWiki-extensions-OAuth, Security-Extensions
Tgr merged task T197156: Creating OAuth owner-only consumers should require elevated security into Restricted Task.
Thu, Nov 15, 7:38 PM · Security, MediaWiki-extensions-OAuth, Security-Extensions
Tgr added a subtask for T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production: Unknown Object (Task).
Thu, Nov 15, 7:33 PM · Stewards-and-global-tools, Wikimedia-Site-requests, MediaWiki-User-login-and-signup, Security
Tgr added a comment to T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.

Wikitech accounts in general are fairly harmless. The danger there is taking over a developer account and adding SSH keys, I suppose.

Thu, Nov 15, 7:32 PM · Stewards-and-global-tools, Wikimedia-Site-requests, MediaWiki-User-login-and-signup, Security
Tgr updated the task description for T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.
Thu, Nov 15, 7:31 PM · Stewards-and-global-tools, Wikimedia-Site-requests, MediaWiki-User-login-and-signup, Security
Tgr updated the task description for T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.
Thu, Nov 15, 7:28 PM · Stewards-and-global-tools, Wikimedia-Site-requests, MediaWiki-User-login-and-signup, Security
Tgr updated the task description for T197160: All security-sensitive MediaWiki functionality should require elevated security.
Thu, Nov 15, 7:05 PM · Security, User-Tgr, Epic, MediaWiki-Authentication-and-authorization, Security-General
Tgr added a subtask for T197160: All security-sensitive MediaWiki functionality should require elevated security: Unknown Object (Task).
Thu, Nov 15, 6:57 PM · Security, User-Tgr, Epic, MediaWiki-Authentication-and-authorization, Security-General
Tgr added a comment to T208769: Ensure that AbuseFilter applies to the content of all MCR slots.

I doubt there's much benefit in lazy-loading, these filters typically run on page save when all the content slots are in memory anyway.

Thu, Nov 15, 8:00 AM · Core Platform Team Kanban, AbuseFilter, Multi-Content-Revisions (Tech Debt), Core Platform Team (MCR), SDC Engineering
Tgr added a project to T209556: In AuthManager, avoid encrypted storage of the password in the session: Security.

I imagine this would take the form of a new PrimaryAuthenticationProvider method (as it would not be useful for pre-auth providers which are only called on the initial request, nor for secondaries which can only take useful action when the identity of the user has been established by a primary) that's called somewhere at the end of beginAuthentication() - after the preauth checks have passed but before the beginPrimaryAuthentication() calls.

Thu, Nov 15, 7:57 AM · Security, MediaWiki-Authentication-and-authorization

Wed, Nov 14

Tgr added a comment to T208769: Ensure that AbuseFilter applies to the content of all MCR slots.

We could in the future allow users to specify which slots and/or which models each filter should apply to

Wed, Nov 14, 8:39 PM · Core Platform Team Kanban, AbuseFilter, Multi-Content-Revisions (Tech Debt), Core Platform Team (MCR), SDC Engineering
Tgr added a comment to T208769: Ensure that AbuseFilter applies to the content of all MCR slots.

Replacing strings-pretending-to-be-arrays with actual arrays would almost certainly be a breaking change. How should AF handle breaking changes? (Versioning? Something akin to deprecation warnings? Just hope that filter maintainers will deal with it?)

Wed, Nov 14, 7:36 PM · Core Platform Team Kanban, AbuseFilter, Multi-Content-Revisions (Tech Debt), Core Platform Team (MCR), SDC Engineering
Tgr added a comment to T208769: Ensure that AbuseFilter applies to the content of all MCR slots.

Arrays are an abomination in AbuseFilter, I don't think it's a good idea to expose them more in their current form. Also for sane handling of arbitrary slots (not an SDC blocker but needed eventually) you'd need associative arrays.
Although if separate variables are used instead then you'd need variable variables, that's not much nicer either. (Or a function returning slots by name; that has sane syntax but doesn't really fit the current concept of functions.)

Wed, Nov 14, 5:43 PM · Core Platform Team Kanban, AbuseFilter, Multi-Content-Revisions (Tech Debt), Core Platform Team (MCR), SDC Engineering
Tgr added a comment to T173214: Support GraphQL Queries across Wikimedia.

I also noticed that the Action API uses a lot of enums for values... should the server maintain a list of these values?

Wed, Nov 14, 2:14 AM · Patch-For-Review, Developer-Wishlist, MediaWiki-extensions-WikibaseRepository, Wikidata.org, Wikidata

Sun, Nov 11

Liuxinyu970226 awarded T128060: VisualEditor makes it easy to create partially linked words, when the user expects a fully linked one a Like token.
Sun, Nov 11, 6:59 AM · VisualEditor
Tgr added a comment to T121995: Switch FlaggedRevs on Hungarian Wikipedia to a "flagged protection" mode.

Filed T209224: Analyze effect of huwiki FlaggedRevs configuration change on problematic edits and new user retention for looking into what impact the change had.

Sun, Nov 11, 4:12 AM · User-Tgr, Patch-For-Review, Wikimedia-Site-requests, MediaWiki-extensions-FlaggedRevs
Tgr moved T209224: Analyze effect of huwiki FlaggedRevs configuration change on problematic edits and new user retention from Backlog to Huwiki on the User-Tgr board.
Sun, Nov 11, 4:11 AM · User-Tgr
Tgr created T209224: Analyze effect of huwiki FlaggedRevs configuration change on problematic edits and new user retention.
Sun, Nov 11, 4:10 AM · User-Tgr

Sat, Nov 10

Tgr added a comment to T204160: Create a security issue task type with additional attributes.

Yeah, editing the task title and description (and adding a comment) is possible but none of the metadata fields (status, priority, assignee, tags, subscribers) are editable, except the workboard column.

I'm wondering if this isn't just fine tbh after the addition of Security

Sat, Nov 10, 5:38 PM · Release-Engineering-Team (Kanban), Security-Team, User-MModell, Phabricator

Thu, Nov 8

Tgr added a comment to T204160: Create a security issue task type with additional attributes.

Yeah, editing the task title and description (and adding a comment) is possible but none of the metadata fields (status, priority, assignee, tags, subscribers) are editable, except the workboard column.

Thu, Nov 8, 4:53 PM · Release-Engineering-Team (Kanban), Security-Team, User-MModell, Phabricator

Wed, Nov 7

MichaelSchoenitzer awarded T187749: Make it possible to use code from an external repository for editor-controlled Javascript/CSS a Love token.
Wed, Nov 7, 11:25 PM · Security, Wikimedia-Hackathon-2018, Patch-For-Review, MediaWiki-extension-requests, User-Tgr, Security-General, JavaScript, Gadgets

Tue, Nov 6

Tgr added a comment to T208901: TemplateStyles breaks a paragraph if a file is inserted inline.

So if I read things correctly, the wikitext of the paragraph is something like

abd {{comment|def}} ghi [[File:Foo.jpg|right|thumb|250px|jkl]]

which expands to

abd <templatestyles src="Template:Comment/styles.css" /><span class="ts-comment-commentedText">def</span> ghi [[File:Foo.jpg|right|thumb|250px|jkl]]

and the HTML is

<p>abc </p><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r93295199"/><p><span class="ts-comment-commentedText">def</span> ghi </p><div class="thumb tright">(lots of image markup)</div>
Tue, Nov 6, 9:43 PM · Parsoid, TemplateStyles, MediaWiki-Parser
Tgr added a watcher for MediaWiki-Decoupling: Tgr.
Tue, Nov 6, 6:47 PM
Tgr added a comment to T197158: CheckUser should require elevated security.

T197160#4723216 has some ideas on how to make this less annoying.

Tue, Nov 6, 1:08 AM · Security, Stewards-and-global-tools, CheckUser, Security-Extensions
Tgr added a comment to T197150: User right changes should require elevated security.

T197160#4723216 has some ideas on how to make this less annoying.

Tue, Nov 6, 1:07 AM · Security, Stewards-and-global-tools, MediaWiki-extensions-CentralAuth, MediaWiki-User-management, Security-Extensions, Security-Core
Tgr added a comment to T197160: All security-sensitive MediaWiki functionality should require elevated security.

If we make too many things require reauth then we run the risk of annoying users.

Tue, Nov 6, 1:05 AM · Security, User-Tgr, Epic, MediaWiki-Authentication-and-authorization, Security-General
Tgr created T208823: Support asynchronous reauthentication.
Tue, Nov 6, 1:04 AM · MediaWiki-Authentication-and-authorization, Security
Tgr added a subtask for T197153: Make some providers optional for reauthentication: T168557: "Keep me logged in" check box shouldn't be shown when a logged-in user is being verified.
Tue, Nov 6, 12:27 AM · Patch-For-Review, Security, MediaWiki-Authentication-and-authorization, Security-Core
Tgr edited parent tasks for T168557: "Keep me logged in" check box shouldn't be shown when a logged-in user is being verified, added: T197153: Make some providers optional for reauthentication; removed: T197160: All security-sensitive MediaWiki functionality should require elevated security.
Tue, Nov 6, 12:27 AM · Patch-For-Review, MediaWiki-Authentication-and-authorization
Tgr removed a subtask for T197160: All security-sensitive MediaWiki functionality should require elevated security: T168557: "Keep me logged in" check box shouldn't be shown when a logged-in user is being verified.
Tue, Nov 6, 12:27 AM · Security, User-Tgr, Epic, MediaWiki-Authentication-and-authorization, Security-General

Mon, Nov 5

Tgr added a comment to T100373: U2F integration for Extension:OATHAuth.

There are some PHP libraries, none from a trusted party though. As I said, I'm not sure whether U2F (for which there's a fairly authoritative PHP implementation from Yubikey) can be used instead.

Mon, Nov 5, 9:28 PM · MediaWiki-extensions-OATHAuth
Tgr added a comment to T100373: U2F integration for Extension:OATHAuth.

There seems to be a lot of confusion around this. This is my (possibly mis-) understanding, based on some googling:

  • Originally, there was the FIDO U2F standard which describes a Javascript interface between the website and the browser, various protocols (USB, NFC, Bluetooth etc) for the browser talking to the second-factor device, and a protocol for the devoce talking to the web server.
  • The website-to-browser and device-to-server part of the protocol is now superseded by WebAuthn, which is a W3C standard (CR) since two months ago. It also generalizes login flows - instead of a second factor, the device can now be single-factor (passwordless login) or one of multiple factors (e.g. hardware key + biometric identification device).
  • the browser-to-device part is now being superseded by FIDO2 CTAP (which also supports single-factor and multi-factor). This part doesn't really concerns us.
  • The FIDO U2F API is supported by Chrome and Opera (desktop only), and supported behind a feature flag (security.webauth.u2f) by Firefox. The standard is superseded, so nothing else will support it. Here's a test page.
  • WebAuthn is supported by Chrome, Opera, Firefox and Edge (which un-feature-flagged it two months ago). Caniuse claims partial mobile support, not sure how reliable that is (Chrome on Android works fine for me). Here's a test page.
  • CTAP is backwards-compatible (it defines two protocols, CTAP1 for two-factor which is basically just U2F and CTAP2 for single-factor/multi-factor, which is not U2F-compatible), so all old devices (Yubikey etc) work with WebAuthn for second-factor but not the other flows. The Javascript part is not backwards-compatible. I'm not sure about the device-to-server protocol but I think it's also backwards compatible.
Mon, Nov 5, 9:12 PM · MediaWiki-extensions-OATHAuth
Tgr added a comment to T208769: Ensure that AbuseFilter applies to the content of all MCR slots.

One way to do this is to create a bunch of new variables for every slot - content, diff, links etc. The other way is to have a per-filter configuration setting so that a filter can apply to a specific slot. The first is more flexible but also makes filters more complicated / harder to read. (And then neither makes it possible to have filters that apply some criteria to every slot individually, unless you also add some way of iterating slots.) Probably a good idea to consult filter maintainers before making that decision (and to split the baseline and the ideal versions of this task as the baseline is pretty straightforward and the full version is not).

Mon, Nov 5, 8:05 PM · Core Platform Team Kanban, AbuseFilter, Multi-Content-Revisions (Tech Debt), Core Platform Team (MCR), SDC Engineering
Tgr updated the task description for T201848: Make DifferenceEngine callers pass revisions, not contents.
Mon, Nov 5, 5:59 PM · MW-1.33-notes (1.33.0-wmf.3; 2018-11-06), Core Platform Team Kanban, Multi-Content-Revisions (Tech Debt), Core Platform Team (MCR), MediaWiki-History-or-Diffs
Tgr created T208707: AuthManager::getAuthenticationRequests() and begin/continue* should be in the same authentication session.
Mon, Nov 5, 8:13 AM · MediaWiki-Authentication-and-authorization

Sun, Nov 4

Tgr added a parent task for T208668: Do not ask for password on reauthentication when 2FA is enabled: T197153: Make some providers optional for reauthentication.
Sun, Nov 4, 6:05 AM · MediaWiki-extensions-OATHAuth, MediaWiki-Authentication-and-authorization, Security
Tgr added a subtask for T197153: Make some providers optional for reauthentication: T208668: Do not ask for password on reauthentication when 2FA is enabled.
Sun, Nov 4, 6:05 AM · Patch-For-Review, Security, MediaWiki-Authentication-and-authorization, Security-Core
Tgr created T208668: Do not ask for password on reauthentication when 2FA is enabled.
Sun, Nov 4, 6:04 AM · MediaWiki-extensions-OATHAuth, MediaWiki-Authentication-and-authorization, Security
Tgr created T208667: Tie reauthentication (login with elevated security) to a specific security level.
Sun, Nov 4, 4:45 AM · Patch-For-Review, MediaWiki-Authentication-and-authorization, Security

Sat, Nov 3

Tgr added a comment to T203924: Cannot translate some messages because of new interface-admin requirements.

It's listed in $wgRawHtmlMessages.

Sat, Nov 3, 7:00 PM · translatewiki.net

Fri, Nov 2

Tgr added a subtask for T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions: Unknown Object (Task).
Fri, Nov 2, 11:48 PM · Fr-CentralNotice-translations, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Trust-and-Safety, Security, JavaScript, Security-Core
Tgr added a comment to T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.

This caused T203924: Cannot translate some messages because of new interface-admin requirements (on the net probably a good thing).

Fri, Nov 2, 11:43 PM · MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), User-Tgr, Trust-and-Safety, Wikimedia-General-or-Unknown, Patch-For-Review, Security, JavaScript, Security-Core
Tgr added a comment to T203924: Cannot translate some messages because of new interface-admin requirements.

The copyright message is going to be deprecated; see T45646: "MediaWiki:Copyright" message allows raw HTML and the pending patch there.

Fri, Nov 2, 11:42 PM · translatewiki.net
Tgr added a comment to T60663: media viewer doesn't preserve thumbnail options like svg language.

This seems to work now, at least for SVGs (and I'm not sure what other usecases we have, given that PDF/DjVu are not supported at all) - the example in the task description is confusing due to T64039: MediaViewer confuses different instances of the same image on the same page but see e.g. https://eu.wikipedia.org/wiki/Azelerazio

Fri, Nov 2, 8:35 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr added a comment to T208564: [Spike 4 hour] [BUG] MediaViewer ignores thumbnail options when using API provider for thumbnails.

Actually a different bug from T60663: media viewer doesn't preserve thumbnail options like svg language (which seems to have been fixed somewhere along the line, at least for SVGs) - the URL guessing provider (mmv.provider.GuessedThumbnailInfo.js) preserves the language but the API-based provider does not. So language detection would work in Wikimedia production but not on most other wikis.

Fri, Nov 2, 8:32 PM · Community-Tech, I18n, MediaWiki-extensions-MultimediaViewer, Multimedia
Tgr renamed T208564: [Spike 4 hour] [BUG] MediaViewer ignores thumbnail options when using API provider for thumbnails from [BUG] MMV should show SVGs in language of the page, not English to [BUG] MediaViewer ignores thumbnail options when using API provider for thumbnails.
Fri, Nov 2, 8:30 PM · Community-Tech, I18n, MediaWiki-extensions-MultimediaViewer, Multimedia
Tgr updated the task description for T60663: media viewer doesn't preserve thumbnail options like svg language.
Fri, Nov 2, 8:24 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr updated the task description for T60663: media viewer doesn't preserve thumbnail options like svg language.
Fri, Nov 2, 8:21 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr merged T77225: Handle SVG options into T60663: media viewer doesn't preserve thumbnail options like svg language.
Fri, Nov 2, 8:18 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr merged task T77225: Handle SVG options into T60663: media viewer doesn't preserve thumbnail options like svg language.
Fri, Nov 2, 8:18 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr merged T208564: [Spike 4 hour] [BUG] MediaViewer ignores thumbnail options when using API provider for thumbnails into T60663: media viewer doesn't preserve thumbnail options like svg language.
Fri, Nov 2, 8:18 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr merged task T208564: [Spike 4 hour] [BUG] MediaViewer ignores thumbnail options when using API provider for thumbnails into T60663: media viewer doesn't preserve thumbnail options like svg language.
Fri, Nov 2, 8:18 PM · Community-Tech, I18n, MediaWiki-extensions-MultimediaViewer, Multimedia

Thu, Nov 1

Tgr added a comment to T208539: Upload failed with fatal error: Call to load() on a non-object in UploadBase.php.

At a glance this happens when files are uploaded with an invalid target name.

Thu, Nov 1, 9:17 PM · Multimedia, MediaWiki-Uploading, Wikimedia-production-error
Tgr added a comment to T171563: Only allow MediaWiki, Gadget, and User namespace pages to be treated as JS or CSS (no project namespace, etc.).

Currently the condition for applying a JS-based permission check is (in MediaWiki namespace AND (has .js extension OR JS content type)) OR (in User namespace AND has JS content type). The condition for allowing the page to be loaded as a script URL is (in MediaWiki namespace OR in User namespace OR protected) (also if it's in the User namespace the user must exist, but that's a different topic).

Thu, Nov 1, 5:30 PM · Security, Security-team-backlog, MediaWiki-Page-protection, JavaScript
Tgr added a comment to T171563: Only allow MediaWiki, Gadget, and User namespace pages to be treated as JS or CSS (no project namespace, etc.).

That would break maintenance of all userspace user scripts, including those people create or want to create for their own personal use. to the point where I think people would break out the torches and pitchforks if we tried that.

Thu, Nov 1, 4:29 PM · Security, Security-team-backlog, MediaWiki-Page-protection, JavaScript
Tgr created T208477: Move "privileged account' concept into MediaWiki core.
Thu, Nov 1, 4:02 AM · MediaWiki-Debug-Logger, MediaWiki-Authentication-and-authorization, Security
Tgr added a comment to T171563: Only allow MediaWiki, Gadget, and User namespace pages to be treated as JS or CSS (no project namespace, etc.).

Is this fixed, given the announcement in https://meta.wikimedia.org/wiki/Tech/News/2018/40?

Thu, Nov 1, 3:35 AM · Security, Security-team-backlog, MediaWiki-Page-protection, JavaScript
Tgr added a comment to T171563: Only allow MediaWiki, Gadget, and User namespace pages to be treated as JS or CSS (no project namespace, etc.).

An alternative approach (which maybe requires less effort on the communit side) would be to refuse loading anything that does not have the appropriate content model, and require editsitejs and similar permissions based on the content model (and on not being in userspace).

Thu, Nov 1, 3:32 AM · Security, Security-team-backlog, MediaWiki-Page-protection, JavaScript

Wed, Oct 31

Tgr added a comment to T193846: Publish analysis of sustained login attack of 3 May 2018.

There was a blog post about the attack. Presumably this task can be closed?

Wed, Oct 31, 10:34 PM · Security-Team
Tgr added a comment to T193769: Thousands of failed login attempts (wrong password).

Is there anything actionable in this task? If not, it can probably should be closed and the generic suggestions about login hardening moved to a generic tracking task.

Wed, Oct 31, 10:31 PM · Security-Team
Tgr added a comment to T208443: User cannot log in with OAuth on a wiki before visiting that wiki directly.

If it was the wiki login that failed and not the OAuth process (WikiEdu login), then the OAuth extension is not involved. I could imagine OAuth erroring out somehow when the user account is autocreated during the login, and some cache is not updated, but then the user would be logged in on enwiki at the end, so it sounds like that's not what happened.

Wed, Oct 31, 8:28 PM · MediaWiki-extensions-CentralAuth, MediaWiki-extensions-OAuth
Tgr raised the priority of T173989: Port CentralAuth Selenium tests from Ruby to Node from Normal to High.

The Ruby tests are now broken (Gem::InstallError: watir requires Ruby version >= 2.3.0).

Wed, Oct 31, 4:03 AM · Patch-For-Review, User-Tgr, MediaWiki-extensions-CentralAuth

Tue, Oct 30

Tgr added a comment to T157651: sql.php runs LoadExtensionSchemaUpdates.

Core Platform I guess, since it's a bug in the DB abstraction layer. I can write the patch for it, wouldn't mind some feedback on T157651#3018942 though.

Tue, Oct 30, 12:05 AM · Core Platform Team Backlog (Watching / External), Performance-Team, MediaWiki-Database, MediaWiki-Maintenance-scripts, Beta-Cluster-reproducible

Mon, Oct 29

Tgr added a comment to T151010: Add logging to OATHAuth.

Some of our security-related logging adds whether the targeted user is privileged (is an admin, steward, admin at another wiki etc), other (like these) doesn't. Not much of a problem in the short term, as unprivileged users cannot currently use OATHAuth, but eventually it should be improved IMO. Either we should move the logic into User::getPrivilegedGroups (with some way for auth extensions like CentralAuth to hook into it), or the isPrivileged and privilegedGroups fields should be added in a custom log processor added in our config, so they are present in all log events.

Mon, Oct 29, 8:01 PM · MW-1.33-notes (1.33.0-wmf.6; 2018-11-27), Restricted Project, Wikistorm, Patch-For-Review, MediaWiki-extensions-OATHAuth

Thu, Oct 25

Tgr added a comment to T207900: Enable csp-report-only mode everywhere .

Based on mw.org, it seems very roughly like a wiki the size of mw.org gets about 30 hits/minute on average, with ocassional spikes to 150/minute

Thu, Oct 25, 8:12 PM · Restricted Project, Operations, Wikimedia-Site-requests, Security-Team

Wed, Oct 24

Tgr added a comment to T207883: Feature request: using a different image for thumbnail and full image.

Duplicate of T9757: allow cropping images when rendered?

Wed, Oct 24, 11:25 PM · Multimedia, MediaWiki-extensions-MultimediaViewer, MediaWiki-Gallery
Tgr updated the task description for T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs.
Wed, Oct 24, 3:29 PM · Wikimedia-Technical-Conference-2018

Tue, Oct 23

Tgr updated the task description for T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs.
Tue, Oct 23, 8:55 PM · Wikimedia-Technical-Conference-2018
Tgr updated the task description for T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs.
Tue, Oct 23, 5:09 PM · Wikimedia-Technical-Conference-2018

Mon, Oct 22

Tgr added a comment to P7710 T206074 (TechConf 2018 - Choosing the technologies to build our APIs) drafts.

Selected architecture principles:

  • Software that interacts with users SHOULD provide consistent internationalization across platforms and follow accessibility guidelines.
  • Our software SHOULD provide extension points that empower the community with ways to develop workflows using scripting languages, and ensure safety and maintainability of custom scripts.
  • Public APIs of our services SHOULD be modeled around abstract use cases, not catering to a specific user interface.
  • Data we offer for re-use SHOULD use clearly specified, stable data schemas based on widely used open standards.
  • Software components SHOULD be designed to be reusable, and be published for re-use.
  • Software that exposes public interfaces for use by other software SHOULD be subject to release management with clear and consistent versioning. Any breaking changes to such interfaces then MUST be announced in a timely and predictable manner over relevant channels.
  • Any elements scheduled for removal from a stable public interface MUST be documented to be deprecated beforehand, and SHOULD be kept for for backwards compatibility for a reasonable time.
  • All code SHOULD be designed for testability.
  • Comprehensive documentation SHOULD be maintained along with the code.
  • MediaWiki SHOULD be easy to install and upgrade in a development environment.
  • The MediaWiki stack SHOULD be easy to deploy on standard hosting platforms.
  • Small MediaWiki instances SHOULD function in low-budget hosting environments.
  • Our software and infrastructure SHOULD be designed to be resilient against spikes in demand and failure of backend systems.
  • Services and APIs SHOULD be designed to allow the identification of read-only and read-write HTTP requests to optimize routing and caching.
  • System design and technology choice SHOULD aim to reduce operational overhead and the cost of change management.
  • Our software and infrastructure SHOULD be designed in such a way to prevent unauthorized access to sensitive information, and to minimize the the impact of individual components getting compromised.
  • Our system architecture SHOULD isolate components to reduce attack surface while minimizing system complexity.
  • Tools and processes SHOULD be designed to allow us to be responsive as well as proactive in ensuring security.
  • Our deployment infrastructure and dependency management SHOULD make it easy to keep system components up to date.
  • Our deployment infrastructure SHOULD make it easy to change configuration settings without disruption.
Mon, Oct 22, 11:02 PM
Tgr created P7710 T206074 (TechConf 2018 - Choosing the technologies to build our APIs) drafts.
Mon, Oct 22, 11:00 PM

Oct 21 2018

Tgr updated the task description for T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs.
Oct 21 2018, 11:53 PM · Wikimedia-Technical-Conference-2018
Tgr updated the task description for T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs.
Oct 21 2018, 7:33 PM · Wikimedia-Technical-Conference-2018
Tgr updated the task description for T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs.
Oct 21 2018, 7:31 PM · Wikimedia-Technical-Conference-2018
Tgr created T207606: Allow Phabricator pastes to be formatted as remarkup.
Oct 21 2018, 6:32 PM · Phabricator (Upstream), Upstream
Tgr added a comment to T206059: Wikimedia Technical Conference 2018 Session - Choosing installation methods and environments for 3rd party users.

I'm leading T206074: Wikimedia Technical Conference 2018 Session - Choosing the technologies to build our APIs which is influenced a fair bit by 3rd party support plans. It would be great if this session could make a recommendation on what portability / platform compatibility requirements Wikimedia/MediaWiki APIs should have. (Should such APIs be installable via some container mechanism? Via OS packages? Via the package management system of their respective programming language? Should they be usable on an average cheap VPS? On a shared web host? Should we have some classification for Wikimedia functionality (e.g. essential/nonessential or generic/wiki-specific) and have different expectations for different classes?)

Oct 21 2018, 4:06 AM · Wikimedia-Technical-Conference-2018

Oct 20 2018

Tgr awarded T201009: Run deleteLocalPasswords.php in WMF prod (Central Auth wikis only!) after 1.32.0-wmf.16 is everywhere a Doubloon token.
Oct 20 2018, 10:57 PM · MW-1.32-notes (WMF-deploy-2018-09-25 (1.32.0-wmf.23)), Patch-For-Review, User-Ladsgroup, Wikimedia-maintenance-script-run, Security, Wikimedia-Site-requests

Oct 18 2018

Tgr added a comment to T200392: RfC: Release notes automation.

The meat of it was

<legoktm> on the task there's some discussion about integrating merge drivers into Gerrit and Zuul, which I'm all for, but I have no idea how to do that technically, and I'm not sure anyone else does either
<legoktm> [...] I don't expect that to happen anytime soon... :(
<legoktm> so my bot proposal would just require me writing the bot and having it run on a cron
Oct 18 2018, 3:49 PM · TechCom-RFC (TechCom-Approved), MediaWiki-Documentation
Tgr reopened T207325: Footnote weirdness after editing the title parameter as "Open".

The mechanism of this error might be similar to T206527, but it's not going to be fixed by MCS patches (only apps use that API, VisualEditor doesn't) so reopening.

Oct 18 2018, 3:28 PM · TemplateStyles, VisualEditor