reiterating on presenting the task to the dev team, making estimation etc would be beneficial in this case, I'd think

It was on some WMF's team (Platform Engineering I believe) to review. They were last ping in January I believe

Oh, I missed the possible alternative approach, apologies (got too excited this is talking about the "team day" only as the comment mentioned a calendar event)

If the approach boils down to "Patch Tuesday", I'd assign this to management. We've had taken a first stab on introducing this as a "team activity" in the late 2020. Initial implementation failed due to the gallore of other "special" things happening in Deecember, but kickstarting it again would be easy and fairly non controversial.
If there is no technical/code work involved, I would not see it as a campsite task no more.

Per @Addshore's comment on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/+/662735/ the suggested approach seems to be to have the relevant logic added/changed in a different place than Entity Revision Lookup(s)

This case is only important in cases where the baserevid comes from a user (such as via the api). many entity revision lookups need not concern themselves with this additional check.

Apologies for the bad word choice @bd808. And thanks for setting up the blacklist rules!

Having discussed this with WMDE's engineering leadership (@conny-kawohl_WMDE @darthmon_wmde @Tobi_WMDE_SW) it seems that use of "WMDE" in developer account names must have been some misunderstanding which we have inconsistently carried over the years.
As such we do not oppose such change. Please proceed as you see fit.

Tags published

Thanks @bd808 for mentioning the tag. "Staff" account or not, some permission adjustment on wikitech will likely be needed in either cases, so it is good to know how to make this visible. I'll throw in some thoughts in the other task a bit later.

hello @danshick-wmde, just checking how this write up looks from your side?

I think we're done, thanks!

First and foremost, thanks @sbassett and @JBennett for chiming in here on the security readiness review process, and the risk-level-based vs binary yes/no assessment. I think this is topic worth repeatedly mentioning.

the engineering part of the task is done

seemingly complete

Closing for now as the path/scope unclear

Timebox to 1 hr

This looks good, thanks!

It is likely too late so it is likely purely speculative comment:
I wonder if there could be some sensible automated tests provided that could have caught this kind of regression? Maybe some kind of property-based test that would be punching in some "well-formed" data and verify that INSERT/UPDATE succeeds? Might be very arbitrary, hence not particularly useful (a.k.a. overkill)
I'm not an expert in low-level database world so I simply don't know what practices might exist.

@Aklapper this message above from Herald seems like something relatively new? Please advise if we should reach out to WMF Legal for NDA and related topics on Phabricator differently.

As an Engineering Manager at WMDE, I approve this request and confirm Georgina's affiliation with WDME.
Tagging WMF-Legal as well to ensure the required paperwork is on file.
thanks!

As the WMF-Legal project tag was added to this task, some general information to avoid wrong expectations:
Please note that public tasks in Wikimedia Phabricator are in general not a place where to expect feedback from the Legal Team of the Wikimedia Foundation due to the scope of the team and/or nature of legal topics. See the project tag description.
Please see https://meta.wikimedia.org/wiki/Legal for when and how to contact the Legal Team. Thanks!

Thanks for this @sbassett and apologies for not cleaning the house ourselves!

I think we're done here. Thanks RelEng for great help, and apologies for not managing our tasks the best.

In T261906#6790008, @GoranSMilovanovic wrote:

@WMDE-leszek The problems in relation to URL rendering in production is solved. A minor bug was in question - as I hoped it will be.

This looks complete, thanks. Possibly tweaks related to getting it work with the Quick Statements will be consider under that other task.

The ADR looks solid, thanks!
I've made a small nitpicky change to make the language in consequences section less - arguable interpretation - "scary": https://github.com/wmde/wikibase-release-prototype/pull/46

What is the question @Ladsgroup?
The topic has been investigated by the WMDE team: T269139 and next steps are to be outlined afterwards.

The issue has been successfully patched on Wikidata. To our best knowledge the problem does not pose a security risk to Wikibase installation outside of WMF production wiki. Therefore we make the issue, and the fix, public.