Tgr (Gergő Tisza)
Software Engineer, WMF Reading

Projects (31)

Today

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Sep 19 2014, 4:55 PM (152 w, 4 d)
Availability
Available
IRC Nick
tgr
LDAP User
Gergő Tisza
MediaWiki User
Tgr (WMF)

Recent Activity

Today

Tgr added a comment to T171964: [Spike - 8 hrs] Where should article concatenation be implemented?.

Also, while the UI and code quality problems with Extension:Collection don't seem relevant to me (it's not as if it would go away if we do the concatenation elsewhere; the amount to interact with its existing codebase will be the same either way), using the ElectronPdfService extension is always an option. We are talking about functionality that needs to be wrapped around Electron to make it support multi-page documents, so it would make conceptual sense to put it into the extension dedicated to Electron.

Wed, Aug 23, 2:45 AM · Readers-Web-Kanban-Board, Readers-Web-Backlog, Electron-PDFs, Spike
Tgr added a comment to T133410: Deploy TemplateStyles to WMF production.

@Shizhao I have been referring to T164791 which has been resolved since then.

Wed, Aug 23, 2:35 AM · Performance-Team (Radar), User-notice, Reading-Infrastructure-Team-Backlog (Kanban), Readers-Web-Backlog (Tracking), Traffic, Operations, Wikimedia-Extension-setup, TemplateStyles
Tgr added a comment to T171964: [Spike - 8 hrs] Where should article concatenation be implemented?.

Re: what framework to use for concatenation and/or post-processing:

  • Currently we have MediaWiki, Node services and Python services on our cluster. Adding a new kind of thing (some kind of standalone PHP service) shouldn't be taken lightly IMO. Following the well-trodden path reduces maintenance overhead. (Plus, PDF post-processing can't be done in PHP anyway so what's the point in writing a PHP microservice to run non-PHP core logic?)
  • Given that this project is under severe time pressure, doing the work inside the PHP extension seems by far the best immediate approach to me:
    • The code for concatenation in PHP exists already
    • No overhead of setting up and managing a service
    • Unblocks Ops to get rid of the ocg boxes / RelEng to get rid of trebuchet / Services to update Node. The concatenation and/or PDF modification logic can always be moved into a service later.
    • Can still be exposed as an API if we want clients to be able to build their own UI for it. On one hand it's slightly more convenient because the API has access to the session (where collection data is currently stored), on the other hand using the action API to deliver files will be awkward. Neither of those are big issues though.
  • One Node-based scenario that would make a lot of sense is if we found a good Node library for PDF processing, then we could do everything in Javascript and reduce the number of languages involved in PDF generation. We already have a working solution though and researching PDF libraries is a nontrivial amount of time. (PDFKit at a glance cannot modify existing files so it is not useful here. HummusJS looks more promising.)
  • I agree the ability to output alternative formats (EPUB, Zim, whatever) is valuable. IMO that's a (weak) argument for doing as much in the extension as possible. We'll probably want a "RESTBase -> concatenated HTML + metadata -> format of choice" pipeline for those as well, but the metadata (and possibly the HTML) will probably need to be subtly different and it's not easy to predict how, so having it travel through more services makes life more difficult. Services are great when there is a simple, stable interface that can serve as a boundary between the different systems. That is the case with Electron (send HTML, get PDF back) but would be much less true for a HTML concatenation or PDF TOC generation service.
Wed, Aug 23, 2:32 AM · Readers-Web-Kanban-Board, Readers-Web-Backlog, Electron-PDFs, Spike
Tgr added a comment to T173646: FancyCaptcha reloading sometimes broken in beta due to differing caches.

You probably forgot to use --raw-output.

Wed, Aug 23, 12:29 AM · MediaWiki-Cache, Beta-Cluster-reproducible, ConfirmEdit (CAPTCHA extension)

Yesterday

Tgr updated subscribers of T168986: Implement a RESTBase proxy for the Reading List Service.

@GWicke @mobrovac @Pchelolo where would you prefer this to live? It would be a thin wrapper that makes one or two action API calls (and in one case some calls to the page summary service), reformats the results and returns them. (The draft routes are in T164990.) It would not cache data since all data involved is private. Would it makes sense to include into RESTBase itself, since there is very little processing involved? If so, could you maybe point me to a similar task from the past as a starting point?

Tue, Aug 22, 9:46 PM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr updated subscribers of T173638: Not CSRF protected return URL missing.
@Tgr mentioned, that it's probably ok to let a provider opt out from CSRF protection.
Tue, Aug 22, 9:41 PM · MediaWiki-Authentication-and-authorization
Tgr added a comment to T153691: Strengthen two factor authentication by making it concurrent instead of sequential during the authentication process.

Technically it shouldn't be a big problem (as far as I can see) to convert OATHAuth into a Pre-auth extension, like ConfirmEdit is, and show the input on the login form directly

Tue, Aug 22, 9:35 PM · MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OATHAuth, Security-Team
Tgr added a comment to T173485: HuWiki's RSS feed doesn't update.

The code generating the feed is https://github.com/huwiki/featured-feeds (it predates FeaturedFeeds) and it is running from tron.wmm.hu IIRC. I'll look at it when I find the time.

Tue, Aug 22, 9:15 PM · Wikimedia-General-or-Unknown, MediaWiki-extensions-FeaturedFeeds
Tgr added a project to T142434: Make CSRF error message less confusing: User-Tgr.
Tue, Aug 22, 9:12 PM · User-Tgr, MediaWiki-User-login-and-signup, MediaWiki-Authentication-and-authorization
Tgr added a comment to T173011: Explore in-context discussions on articles.

You can do this now with external tools such as hypothes.is.

Tue, Aug 22, 6:27 PM · Wikimania-Hackathon-2017
Tgr added a comment to T161612: Buttons in MMV are not really buttons and are thus not semantic.

I am facing " Error: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install apache2' returned 100: Reading package lists..." while doing vagrant up.

Tue, Aug 22, 5:35 PM · Multimedia, Easy, JavaScript, Accessibility, MediaWiki-extensions-MultimediaViewer
Tgr added a comment to T168980: Implement Action API for managing Reading Lists.

After some changes based on code review feedback, the API syntax is

  • meta=readinglists to get all lists of the current user
    • rlchangedsince to get lists which changed recently
    • rlproject and rltitle to get which lists a page belongs to
  • list=readinglistentries to get all entries of the given lists
    • rlechangedsince to get entries which changed recently
    • can be used as a generator
  • list=readinglistorder to get the order of lists/list entries (not really useful, since it's also returned by the other modules, but the REST API wanted such an endpoint, so...)
  • action=readinglists&command=[setup|teardown|create|update|delete|createentry|deleteentry|order|orderentry] for all the write operations on lists.
    • commands are implemented as submodules
Tue, Aug 22, 12:24 AM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr claimed T168992: Force clients to do a full update if they attempt to get changes with a date older than the latest "soft delete" interval.
Tue, Aug 22, 12:17 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr claimed T170571: Implement a page inclusion API for Reading Lists.
Tue, Aug 22, 12:17 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr claimed T168984: Create and enforce a limit for number of Reading Lists and Reading Lists entries for each user.
Tue, Aug 22, 12:16 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr claimed T168995: Implement sync API for Reading Lists.
Tue, Aug 22, 12:16 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr claimed T168990: Purge soft deletes on a regular basis.
Tue, Aug 22, 12:15 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr claimed T168989: Implement soft deletes in order to support recent changes API.
Tue, Aug 22, 12:15 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr claimed T168983: Only allow authenticated users to use the Reading List Action API.
Tue, Aug 22, 12:15 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T168983: Only allow authenticated users to use the Reading List Action API.

Done in https://gerrit.wikimedia.org/r/#/c/366980/.

Tue, Aug 22, 12:15 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T168995: Implement sync API for Reading Lists.

Done in https://gerrit.wikimedia.org/r/#/c/366980/; use the meta=readinglists and list=readinglistentries modules with the changedsince parameter.

Tue, Aug 22, 12:12 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T170571: Implement a page inclusion API for Reading Lists.

Done in https://gerrit.wikimedia.org/r/#/c/366980/; use the meta=readinglists module with the project and title parameters.

Tue, Aug 22, 12:10 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T168992: Force clients to do a full update if they attempt to get changes with a date older than the latest "soft delete" interval.

Done in https://gerrit.wikimedia.org/r/#/c/366980/.

Tue, Aug 22, 12:07 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T168990: Purge soft deletes on a regular basis.

https://gerrit.wikimedia.org/r/#/c/366980/ adds a maintenance script to do this. Can be configured via $wgReadingListsDeletedRetentionDays (or overridden in the script parameters).

Tue, Aug 22, 12:06 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T168989: Implement soft deletes in order to support recent changes API.

Done in https://gerrit.wikimedia.org/r/#/c/366980/, although the API does hide deleted items unless asked for sync data.

Tue, Aug 22, 12:04 AM · Reading-Infrastructure-Team-Backlog, Reading List Service

Mon, Aug 21

Tgr claimed T168988: Implement setup and tear down API Reading Lists.
Mon, Aug 21, 11:53 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr moved T168988: Implement setup and tear down API Reading Lists from To Do to Code Review on the Reading-Infrastructure-Team-Backlog (Kanban) board.
Mon, Aug 21, 11:53 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr claimed T168980: Implement Action API for managing Reading Lists.
Mon, Aug 21, 11:52 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr moved T168980: Implement Action API for managing Reading Lists from To Do to Code Review on the Reading-Infrastructure-Team-Backlog (Kanban) board.
Mon, Aug 21, 11:52 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr moved T168975: Develop a MediaWiki extension for managing Reading Lists from Doing to Code Review on the Reading-Infrastructure-Team-Backlog (Kanban) board.
Mon, Aug 21, 11:51 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr moved T168974: Setup Database schema for Reading Lists from Doing to Code Review on the Reading-Infrastructure-Team-Backlog (Kanban) board.
Mon, Aug 21, 11:51 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr moved T117661: Integrate a modern php REPL shell with MediaWiki from Next to Pending on the User-Tgr board.
Mon, Aug 21, 11:51 PM · User-Tgr, MW-1.29-release-notes, Developer-Wishlist (2017), MediaWiki-Vagrant
Tgr moved T117661: Integrate a modern php REPL shell with MediaWiki from Pending to Next on the User-Tgr board.
Mon, Aug 21, 11:51 PM · User-Tgr, MW-1.29-release-notes, Developer-Wishlist (2017), MediaWiki-Vagrant
Tgr updated the task description for T117661: Integrate a modern php REPL shell with MediaWiki.
Mon, Aug 21, 11:47 PM · User-Tgr, MW-1.29-release-notes, Developer-Wishlist (2017), MediaWiki-Vagrant
Tgr added a comment to T173646: FancyCaptcha reloading sometimes broken in beta due to differing caches.

Tried to look up the settings but something is misconfigured on deplyment-mediawiki04/05 bad enough that eval.php can't even load:

tgr@deployment-mediawiki05:~$ mwscript eval.php --wiki=enwiki
PHP Fatal error:  Class 'Memcached' not found in /srv/mediawiki/php-master/includes/libs/objectcache/MemcachedPeclBagOStuff.php on line 61
Fatal error: Class 'Memcached' not found in /srv/mediawiki/php-master/includes/libs/objectcache/MemcachedPeclBagOStuff.php on line 61

On deployment-tin (where that does not happen), Redis uses a single proxy, /var/run/nutcracker/redis_eqiad.sock and using that socket to fetch the captcha data works fine (on mw04/05 as well). Presumably Nutcracker is configured to use consistent hashing and shard the data between the Redis instances.

Mon, Aug 21, 11:38 PM · MediaWiki-Cache, Beta-Cluster-reproducible, ConfirmEdit (CAPTCHA extension)

Thu, Aug 17

Tgr committed rERLSa651305cdd26: Turn list=readinglistentries into a generator (authored by Tgr).
Turn list=readinglistentries into a generator
Thu, Aug 17, 9:48 PM
Tgr committed rERLS6947fb2fb234: Add API modules (authored by Tgr).
Add API modules
Thu, Aug 17, 9:48 PM
Tgr committed rERLS8797eb6cb664: DB layer (authored by Tgr).
DB layer
Thu, Aug 17, 9:48 PM
Tgr committed rERLScdacb9124293: Add API modules (authored by Tgr).
Add API modules
Thu, Aug 17, 8:55 PM
Tgr committed rERLS535097b50c21: Turn list=readinglistentries into a generator (authored by Tgr).
Turn list=readinglistentries into a generator
Thu, Aug 17, 8:55 PM
Tgr committed rERLS768a5d65612b: DB layer (authored by Tgr).
DB layer
Thu, Aug 17, 8:55 PM

Wed, Aug 16

Tgr committed rERLSa6f1360a2b04: Turn list=readinglistentries into a generator (authored by Tgr).
Turn list=readinglistentries into a generator
Wed, Aug 16, 1:50 PM
Tgr committed rERLSb1da7617d944: Add API modules (authored by Tgr).
Add API modules
Wed, Aug 16, 1:50 PM

Tue, Aug 15

Tgr added a comment to T162181: Should we add psy/psysh to wmf vendor repo for use on WMF servers?.

@zeljkofilipin rebased. It's defined in jjb/job-templates.yaml#L169-L180 and invoked in jjb/mediawiki.yaml#L307-L310 I think?

Tue, Aug 15, 12:45 PM · Security-Reviews, Patch-For-Review, Wikimedia-General-or-Unknown, MediaWiki-Vendor
Tgr committed rERLSdd35d3962dad: Add API modules (authored by Tgr).
Add API modules
Tue, Aug 15, 1:05 AM

Mon, Aug 14

Tgr awarded T52092: Implement glossary (terminology) support a Like token.
Mon, Aug 14, 2:37 PM · I18n, MediaWiki-extensions-Translate

Sun, Aug 13

Tgr closed T173157: [MediaWiki-Vagrant] git : Depends: libpcre2-8-0 but it is not installable as Resolved.
Sun, Aug 13, 4:06 PM · User-bd808, Patch-For-Review, MediaWiki-Vagrant

Sat, Aug 12

Tgr updated the task description for T173157: [MediaWiki-Vagrant] git : Depends: libpcre2-8-0 but it is not installable.
Sat, Aug 12, 1:41 AM · User-bd808, Patch-For-Review, MediaWiki-Vagrant
Tgr created T173157: [MediaWiki-Vagrant] git : Depends: libpcre2-8-0 but it is not installable.
Sat, Aug 12, 1:40 AM · User-bd808, Patch-For-Review, MediaWiki-Vagrant

Fri, Aug 11

Tgr added a comment to T173075: Say only "Switch to Mobile view", "Switch to Desktop view" in footers.

The text of a hyperlink usually describes where the link takes you / what happens when you click on the link. I'd expect this to be well understood by users.

Fri, Aug 11, 10:24 PM · Readers-Web-Backlog, MobileFrontend
Tgr updated subscribers of T162181: Should we add psy/psysh to wmf vendor repo for use on WMF servers?.

@zeljkofilipin can you maybe advise? https://gerrit.wikimedia.org/r/#/c/339584/ fails because one of the unit tests contains something that's only valid in PHP7. The patch changes the composer test command to exclude test directories, but that has no effect, presumably because linting happens directly and not through composer test. What would be the best way to fix this?

Fri, Aug 11, 9:55 PM · Security-Reviews, Patch-For-Review, Wikimedia-General-or-Unknown, MediaWiki-Vendor
Tgr updated the task description for T173141: Provide a way to install Composer dependencies after installing an extension, without updating all unrelated libraries.
Fri, Aug 11, 8:42 PM · Upstream, Composer
Tgr added a comment to T173141: Provide a way to install Composer dependencies after installing an extension, without updating all unrelated libraries.

This is an upstream issue that we probably can't do much about. I mostly just created the task to have a description of the issue that can be referenced from on-wiki documentation.

Fri, Aug 11, 8:42 PM · Upstream, Composer
Tgr created T173141: Provide a way to install Composer dependencies after installing an extension, without updating all unrelated libraries.
Fri, Aug 11, 8:41 PM · Upstream, Composer
Tgr added a comment to T172845: What makes a high quality MediaWiki extension? - Hackathon session.

@Osnard I don't think there is an established convention and most extensions actually just use <extensionname> but IMO using MediaWiki\Extensions\... follows from the PSR-4 recommendation that namespaces should start with a vendor prefix. Vendor prefixes are reasonably unique; extension names are not (ie. there is no guarantee someone out there is not writing a library with the same name as your extension, and once another extension tries to use that library as a dependency, you are in trouble).

Fri, Aug 11, 7:42 PM · MediaWiki-extensions-General, Wikimania-Hackathon-2017
Tgr created T173090: New wikitext editor breaks revision deletion.
Fri, Aug 11, 1:18 PM · VisualEditor, VisualEditor-MediaWiki-2017WikitextEditor
Tgr added a comment to T172958: CodeMirror is incompatible with new wikitext editor.

Opening the edit URL works, it's just the VE in-place loading thing that fails.

Fri, Aug 11, 1:11 PM · MW-1.30-release-notes (WMF-deploy-2017-08-22 (1.30.0-wmf.15)), Patch-For-Review, Community-Tech-Sprint, Community-Tech, MediaWiki-extensions-CodeMirror

Thu, Aug 10

Tgr added a comment to T155678: Provide an easy to use support system for contributors to ask technical questions .

paizaQA seems to lack most of the features of a decent Q&A system (reputation, badges etc). Apparently it was written in a very short amount of time to demo a RAD method, and then abandoned.

Thu, Aug 10, 8:45 PM · TCB-Team, Developer-Relations
Tgr updated the task description for T155678: Provide an easy to use support system for contributors to ask technical questions .
Thu, Aug 10, 8:17 PM · TCB-Team, Developer-Relations
Tgr added a comment to T77147: Show Videos in Media Viewer.

Although, perhaps there could be a sticky per-user option of disabling autoplay (I believe Youtube has this option).

Thu, Aug 10, 7:46 PM · Multimedia, Patch-Needs-Improvement, Patch-For-Review, TimedMediaHandler, MediaWiki-extensions-MultimediaViewer
Tgr added a comment to T173004: All images are showing a "Sorry, the file cannot be displayed" error.

error: could not load image from http://tatteredwiki.org/images/6/6f/Lycus_Moss.png
URL: httpS://tatteredwiki.org/wiki/Lycus_Artois#/media/File:Lycus_Moss.png

Thu, Aug 10, 7:43 PM · Multimedia, MediaWiki-extensions-MultimediaViewer
Tgr added a comment to T172845: What makes a high quality MediaWiki extension? - Hackathon session.

Would be cool to have a Toolforge tool which can check some of the criteria and provide you with a TODO list.

Thu, Aug 10, 6:48 PM · MediaWiki-extensions-General, Wikimania-Hackathon-2017
Tgr added a comment to T171964: [Spike - 8 hrs] Where should article concatenation be implemented?.
  • chapter/section number is much easier to do via CSS counters than by rewriting the HTML.
  • I don't see the potential benefit in using unix tools. You would have to use something pretty complex like awk, which would result in code most developers can't easily read, and the interaction with the usual development ecosystem (unit tests, logging, debugging tools etc) would be awkward. Not to mention that it would limit the extension to Linux installs (and only specific distributions, unless you pay a lot of attention to portability).
  • I doubt performance is a big deal since PDF rendering will probably take much more time than the simple HTML changes that are proposed here; there is little value in trying to optimize parts of the system which are already relatively fast. That said, RemexHTML has better asymptotic performance than the alternatives (see Tim's comment in T163272#3272877) and probably less overhead as well since the delays inherent in communicating via HTTP are very likely going to be larger than any speed benefit a Node implementation might possibly have over a PHP implementation in object instantiation time and whatnot.
Thu, Aug 10, 6:16 PM · Readers-Web-Kanban-Board, Readers-Web-Backlog, Electron-PDFs, Spike
Tgr added a comment to T172845: What makes a high quality MediaWiki extension? - Hackathon session.
  • Document why you do things, not what you do. In long blocks of code, adding comments stating what each paragraph does is nice for easy parsing, but generally,
  • Use PSR-4: one class per file, file name/path reflects class name. Classes should preferably be in the MediaWiki\Extensions\<extension name> namespace.
  • Use dependency injection, avoid static calls for other than utility methods + hook entry points
    • Don't overuse private visibility in services
  • Use structured logging, with meaningful levels
  • Expose your Javascript methods so 1) user scripts can access them, 2) it is easy to debug them. Do not make everything private.
  • Create a Vagrant role for your extension.
  • Document hooks used in the extension infobox, it's a nice method of exposing examples so that other developers can learn.
  • Store your extension on gerrit so that others can update it for core deprecations
Thu, Aug 10, 1:58 PM · MediaWiki-extensions-General, Wikimania-Hackathon-2017

Wed, Aug 9

Tgr closed T172946: Reset two-factor authentication for Epantaleo as Resolved.

Done.

Wed, Aug 9, 8:46 PM · Support-and-Safety
Tgr created T172946: Reset two-factor authentication for Epantaleo.
Wed, Aug 9, 8:18 PM · Support-and-Safety
Tgr added a comment to T172165: Bump PHP requirement to 5.6 (or 7.x?) in 1.31.

We might as well bump to 7.0 right after releasing a 5.6 LTS.

Wed, Aug 9, 5:00 PM · RfC, TechCom-RfC, MediaWiki-General-or-Unknown
Tgr closed T172826: Tool "remarkup2wikitext" loads assets from code.jquery.com and Google Analytics as Resolved.

Uhh, it must have been mindless copypasting of some HTML boilerplate. It uses neither jQuery nor GA (and GA still used the sample siteid ŲA-XXXXX-X).

Wed, Aug 9, 2:13 PM · Tools
Tgr closed T172826: Tool "remarkup2wikitext" loads assets from code.jquery.com and Google Analytics, a subtask of T172065: Hunt for Toolforge tools that loads resources from third party sites, as Resolved.
Wed, Aug 9, 2:13 PM · Toolforge-standards-committee, Tools, Privacy

Sun, Aug 6

Tgr added a comment to T50552: Make PageTriage wiki agnostic.

Is there a summary of what exactly would need to be changed to make PageTriage work with other wikis?

Sun, Aug 6, 8:32 PM · Community-Wishlist-Survey-2015, Collaboration-Team-Triage, I18n, MediaWiki-extensions-PageCuration

Fri, Aug 4

Tgr added a comment to T172477: Attribute anonymous contributions to the first IP address used in a session.

Is there any benefit in using a prefixed IP as the username, as opposed to using a session ID (possibly something easier to remember, such as a diceware string) and exposing the IP address separately? Then, a wiki could be configured so that "anonymous" edits are truly anonymous (unlikely to be interesting for Wikimedia projects but might be useful for others, e.g. wikis operating in jurisdictions with stronger privacy laws), and it would be possible to apply judgement in edge cases (e.g. hide IP addresses for edits originating from oppressive regimes).

Fri, Aug 4, 10:42 AM · TechCom-RfC, MediaWiki-User-management
Tgr updated the task description for T133452: Create temporary accounts for anonymous editors.
Fri, Aug 4, 10:25 AM · User-Tgr, WMF-Legal, Privacy, MediaWiki-Authentication-and-authorization
Tgr added a project to T133452: Create temporary accounts for anonymous editors: User-Tgr.
Fri, Aug 4, 10:24 AM · User-Tgr, WMF-Legal, Privacy, MediaWiki-Authentication-and-authorization
Tgr changed the status of T166472: Wikilabels should authenticate on meta wiki from Resolved to Declined.

Changing status to declined which better reflects the outcome.

Fri, Aug 4, 10:14 AM · User-Zppix, Scoring-platform-team, Wikilabels
Tgr changed the status of T166472: Wikilabels should authenticate on meta wiki, a subtask of T172332: Early Aug 2017 Wikilabels Deployment, from Resolved to Declined.
Fri, Aug 4, 10:14 AM · Scoring-platform-team, User-Zppix
Tgr added a comment to T166472: Wikilabels should authenticate on meta wiki.

How many ORES users have ever visited Meta and set their preferred user language there? A tiny fraction, I'd guess.

Fri, Aug 4, 10:11 AM · User-Zppix, Scoring-platform-team, Wikilabels
Tgr added a comment to T31923: Install Q&A system at ask.wikimedia.org.
In T31923#1657275, @Tgr wrote:

StackExchange is apparently planning to expand into an unofficial documentation HUB.

Fri, Aug 4, 9:53 AM · Community-Wishlist-Survey-2015, Wikimedia-General-or-Unknown

Tue, Aug 1

Tgr added a comment to T171382: RFC: IPv6 contributions and talk pages.

Just use Tor etc?

Tue, Aug 1, 8:53 PM · RfC, TechCom-RfC
Tgr committed rERLSaa22db4c33d3: [WIP] API (authored by Tgr).
[WIP] API
Tue, Aug 1, 9:59 AM
Tgr committed rERLS55bbefab77ac: Boilerplate files (authored by Tgr).
Boilerplate files
Tue, Aug 1, 9:59 AM
Tgr committed rERLS5c6c961ade71: DB layer (authored by Tgr).
DB layer
Tue, Aug 1, 9:58 AM

Sat, Jul 29

Tgr committed rERLS1b5f199706b6: [WIP] API (authored by Tgr).
[WIP] API
Sat, Jul 29, 1:09 PM
Tgr added a comment to T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens.

Options that come to mind:

  1. Just deal with it. Add a token endpoint to the REST API; clients are required to call it first and fetch a token. Any write endpoint can return a token error (Wikimedia has MediaWiki configured with short session lifespans) in which case the client is required to fetch a new token and resubmit the request. This seems inconvenient but most clients do it already since they interface with the Action API directly, so not that much of a change.
  2. Use some kind of CSRF-safe authentication or request signing, and relax CSRF requirements when not actually needed (cf. T126257: The API should not require CSRF tokens for an OAuth request).
    1. Use OAuth. The problem here is that unlike session cookies, OAuth cannot be transparently proxied as the signature is based on the request URL. So the REST service would have to be able to verify OAuth signatures (not hard since there are libraries for it, but the data is stored in MediaWiki so the service would have to access it somehow) and authenticate to the action API in some alternative way.
    2. Use API tokens. This would require a new authentication module for MediaWiki, plus T126257, but unlike OAuth it can be proxied transparently. Stealing such a token could allow impersonating the user, but that does not seem any more insecure than the long-lived token cookies already used by MediaWiki. Also, it could be bound to a single REST service (Reading Lists, for example, is not super sensitive).
  3. Use double-submit CSRF; ie. instead of storing the CSRF in the session, just have the client store it in a cookie and submit as both cookie and POST data, and compare on the server. This is less secure than session CSRF, though. (Slightly more secure if the cookie is initially obtained from MediaWiki and signed in some way.)
  4. Force requests to trigger CORS (e.g. Content-Type: application/json), so web clients can only send requests from trusted domains. (Non-web clients are not affected by CSRF anyway.) Then find some way to exempt requests proxied by the REST service from having to include a CSRF token.
Sat, Jul 29, 10:41 AM · Services (designing), Security, Reading List Service, Reading-Infrastructure-Team-Backlog
Tgr committed rERLS8a194dccb5b6: [WIP] API (authored by Tgr).
[WIP] API
Sat, Jul 29, 10:25 AM
Tgr added a subtask for T168986: Implement a RESTBase proxy for the Reading List Service: T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens.
Sat, Jul 29, 10:16 AM · Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a parent task for T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens: T168986: Implement a RESTBase proxy for the Reading List Service.
Sat, Jul 29, 10:16 AM · Services (designing), Security, Reading List Service, Reading-Infrastructure-Team-Backlog
Tgr created T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens.
Sat, Jul 29, 10:15 AM · Services (designing), Security, Reading List Service, Reading-Infrastructure-Team-Backlog
Tgr committed rERLS2206b830dd6d: DB layer (authored by Tgr).
DB layer
Sat, Jul 29, 10:08 AM
Tgr committed rERLSaf8fba15bba5: [WIP] API (authored by Tgr).
[WIP] API
Sat, Jul 29, 10:08 AM

Thu, Jul 27

Tgr added a subtask for T168975: Develop a MediaWiki extension for managing Reading Lists: T171913: Fix technical debt in ReadingLists extension.
Thu, Jul 27, 10:40 PM · Patch-For-Review, Reading-Infrastructure-Team-Backlog (Kanban), Reading List Service
Tgr added a parent task for T171913: Fix technical debt in ReadingLists extension: T168975: Develop a MediaWiki extension for managing Reading Lists.
Thu, Jul 27, 10:40 PM · Technical-Debt, Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr created T171913: Fix technical debt in ReadingLists extension.
Thu, Jul 27, 10:33 PM · Technical-Debt, Reading-Infrastructure-Team-Backlog, Reading List Service
Tgr added a comment to T171515: Hooks system should support MediaWiki services.

I don' see anything odd in replacing static hook handlers with methods of a hook handler service. It's a step towards having proper per-extension event listener services. (Also it was sort of possible pre-extension registration, via the $wgHooks[] = [ $hookHandler, 'method' ]; notation; it'd be nice to have it back (and more performant).

Thu, Jul 27, 6:19 PM · User-Daniel, Technical-Debt, MediaWiki-General-or-Unknown, Architecture, Patch-For-Review

Wed, Jul 26

Tgr committed rERLS15719552fa5e: [WIP] API (authored by Tgr).
[WIP] API
Wed, Jul 26, 7:17 AM
Tgr committed rERLS03ecba8f2084: [WIP] API (authored by Tgr).
[WIP] API
Wed, Jul 26, 7:17 AM

Tue, Jul 25

Tgr added a comment to T171515: Hooks system should support MediaWiki services.
  • the @ notation is too cryptic. I don't think Symfony is popular enough that it would make sense to freeride on its conventions. I'd rather see something like [ 'service' => 'ServiceName', 'method' => 'hookMethod' ] which is self-documenting even if it's uglier in config files.
  • there are quite a few places which implement some kind of object instantiation notation (ObjectFactory, ApiModuleFactory::addModules, ResourceLoader::getModule, ObjectCache::newFromParams...) which is a pretty similar problem. It would be nice to come up with a shared codebase for doing those things.

Other than that, seems like a good idea to me. IMO we should discard the hook system eventually and end up with something more like event listeners/dispatchers, but that's a long term thing and this looks like a reasonable short-term fix.

Tue, Jul 25, 4:04 PM · User-Daniel, Technical-Debt, MediaWiki-General-or-Unknown, Architecture, Patch-For-Review
Tgr committed rERLS7447ccf340f1: [WIP] API (authored by Tgr).
[WIP] API
Tue, Jul 25, 2:01 PM
Tgr committed rERLSe4d6911be40a: DB layer (authored by Tgr).
DB layer
Tue, Jul 25, 2:01 PM
Tgr committed rERLS1778b243b427: [WIP] API (authored by Tgr).
[WIP] API
Tue, Jul 25, 10:14 AM
Tgr committed rERLS0d25474099ca: [WIP] API (authored by Tgr).
[WIP] API
Tue, Jul 25, 10:12 AM