Thu, Feb 28
Wed, Feb 27
Thu, Feb 21
(Just noting I'll be ready to work more on this in around next week-ish)
Feb 21 2019
Feb 5 2019
Feb 1 2019
The above patch https://gerrit.wikimedia.org/r/487527 removes some of the non-scripting tags from the checks in UploadBase::detectScript, and makes the conservative/exact IE heuristics called from UploadBase::verifyMimeType optional (but still on by default). This also deprecates $wgAllowTitleInSVG since <title is no longer looked for.
Ok, looking at the actual current code now... UploadBase::detectScript does the check, and combines several things:
- looks at first 1024 bytes (more than IE checks) if binary, or all if text
- does some text encoding checks (seems to be SVG-specific?)
- looks for IE's trigger tags for type detection
- looks for some Safari (old Safari?) trigger works for plain-specific type detection
- decodes XML-style char references (seems to be SVG-specific)
- looks for some script-like things CSS-like URLs in body content that seem to be SVG-specific
@Aklapper I believe it's very on-topic to discuss the security implications of a suggested feature change. Where would you suggest we discuss this if not here, on this task?
Jan 29 2019
Thanks! Didn't mean to rush you, I'll probably poke at this next week unless I get inspired. :)
Jan 28 2019
- IE 6 and 7 were both available on Windows XP, which includes TLS 1.0 support but not TLS 1.1 or 1.2. However IE 6-8 on XP fail to work anyway due to lack of SNI.
- This takes IE 6 off the table entirely.
- IE 7 on Vista should still work correctly with TLS 1.0, 1.1, or 1.2 -- https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
- IE8 supports X-Content-Type-Options: nosniff header; if we don't already use it consistently, applying this on all file views would resolve all sniffing issues on IE 8
The chance that someone would visit using an old IE version was probably 50% when the code was originally added; IE had a very high marketshare in the early 2000s. However at this point we can't even be accessed in IE 6 as far as I know (due to servers dropping old TLS versions for HTTPS). I think it's pretty fair to change the balance of what we check for.
@zeljkofilipin should I take this task? I'll need to grab some documentation for starters or else grab you later when we have time. :)
Jan 23 2019
Jan 4 2019
Note that bast4001 no longer works for login?
Jan 3 2019
A few quick notes:
- we should sketch out a few extensions in this model -- I'll take a look at some later in the week
- aggressively pushing action hooks to deferred or jobqueue means we need to be much better about making the job queue *work* reliably (and quickly) on small installs
- immutable interfaces are probably sufficient for most of what we want on hook params, without necessarily needing to create full value classes for everything. We want both sides of the hook to know what's promised & what's allowed & what might change from under you
- side effects issues are something to consider more, about guarantees vs recommendations. needs some real-world testing to see where these guidelines lie
Jan 2 2019
MediaWikiVersionFetcher would need to be altered as well, which currently looks for $wgVersion being set in DefaultSettings.php
Sensible enough. :) I'd recommend MW_VERSION as the constant name; but should it be set in DefaultSettings.php where $wgVersion is set now, or up in defines.php or elsewhere? May also need to update documentation about cutting release versions (updated location of the changed version).
Dec 28 2018
Confirmed it fixed the VM on the Linux PC too. Sweeeeeeeeeeet!
Dec 25 2018
Woohoo! I'll close this out now as fixing my main case (on the Mac where it almost worked) and will confirm Friday on the Linux PC and if that doesn't resolve it there will just reimage it.
On the Mac (where the extensions installed but php-cli didn't), php was gone again when needed for composer runs via vagrant git-update:
@Reedy I'm out of town for a couple days for the holiday so can't retest just now, will poke again later in the week. But I think it was around commit dca68a5c3db8f338bb8b00b3e014c3b1d1308a99 (mid-November) when I last updated it successfully.
Dec 22 2018
Nov 14 2018
Note that this is dependent on suitable playback support being widespread. While on desktops, Chrome and Firefox are shipping AV1 now or in next versions, and Microsoft is previewing it for Edge, we don't yet know the situation for Safari. I've started adding AV1 decode to ogv.js, but it's slower than decoding VP9 so far so may require running lower resolutions (unless WebAssembly threading arrives soon on Safari).
Ingest should be a matter of having a suitable ffmpeg & libaom package backport, and a small update to make sure we're allowing AV1 codec in WebM container. Note there will also be MP4-flavored AV1 out in the world, but we don't yet know how popular that will be as flat files (versus DASH/HLS/streaming).
Nov 11 2018
Nov 8 2018
Storage note: may need/want to include a reverse-domain copy of the domain for indexing purposes for bulk lookups.
(my concern being the possibility of getting people to agree to click-through things they shouldn't; attacker script wouldn't be able to auth/confirm the form, in theory)
Nov 7 2018
Version bumped, and README includes a little info on the changes to config.
Yep, our bad -- we didn't document the breaking changes to config. :( Try this:
Nov 5 2018
Oct 30 2018
Oct 25 2018
Oct 9 2018
I didn't manage to do an early push because I was out sick most of last week, but it should be live now, and the re-rendered file works for me so hoping it's fine for @jeblad. :)
Oct 1 2018
I'll try to sneak it into a 'swat deploy' window later this week.
Aha found it -- the file is 4:2:2 chroma subsampling (profile 1) which Chrome probably doesn't support.
I did some more poking at this, and I'm not quite sure what's going on but I don't think it's because of the pause/play stuff.
This merged some time ago. Closing out.
Looks like a bug with the old mwembed player assuming it can autoplay and interacting badly with current browsers...
Sep 18 2018
@Esanders worst case, currently should be possible to override the ThreeDHandler's doTransform method to return a custom ThumbnailImage subclass, which can add a class by sniping into the toHtml() method and appending to the img-class entry in options.
Not a blocker, but it'd be nice to treat various media types consistently in that respect. Ought to be able to add a custom class on the <img> in some reasonable way already, though...
Sep 14 2018
Sep 10 2018
Note that this should be made possible for both regular File: page view and the iframe-embedded view.
Sep 8 2018
Feedback question -- is the method name mapping from 'somethingWorker' to 'something' too clever? Should it just let you pass any method name to $controller->queue()?
(Still have to see if the exec mode can be got working, do a little debugging, and add a hook for closing extensions.)
Updated summary with the reworked API for ParallelMaintenance.
Sep 7 2018
using regular execute() method, with a helper fork() method (bikeshed that name!) that creates the controller, a dispatch callback, and the work/result callbacks
I'm retooling the proposal based on feedback. Key things:
Sep 5 2018
Note via Timo -- currently we run maint scripts in production through hhvm, which sets processor affinity on all child processes. :P
Hadn't thought of trying h.263; testing... I've put up some samples at https://brionv.com/misc/pumpjack/
Aug 31 2018
Seems to be a change in how plugins are loaded in 2.1.3/2.1.4. Yay semver!
Aug 27 2018
Taking a quick peek at this per an inquiry from @saper. Specifically looking at the login page...
Aug 21 2018
Aug 20 2018
I'm pretty happy with the current documentation now; last time I needed to use it I found what I needed. :) Closing.
Adding to techcom-rfc board to make sure we don't forget to discuss this, if cross-cutting issues are forseen.
Existing files should be either deleted or re-encoded.
Fix has been deployed; no more MP4 files should be coming in.
AAAAAGGGGHHHH the VM has the clock wrong and thinks the cert is not yet valid. Nevermind.
(I think that missing file is ok cause the dir is full of other files...?)
The /usr/lib/ssl/cert.pem file specified in config seems to be missing?
PHP 5 is obsolete; use PHP 7.
Aug 19 2018
Yep, that's a regression in the extension.json migration. The addition of file types to $wgFileExtensions was being done twice, both in the extension.json and then again dynamically, causing the way that 'mp4' was removed from the list to fail because it only removed one instance of it.
Aug 14 2018
Aug 13 2018
As for role ids -- perhaps we should primarily use the names, not the numbers, in the <role> bit. It's analogous to a page's <title> reference (a primary identifier) not to its <ns> or <id> (which are provided informatively if you want to repro the database exactly, but can be freely discarded when doing imports and such).
Ok, proposed transitional schema looks like it imports cleanly via importDump (which uses same code path as Special:Import). The proposed final schema, however, imports a revision with empty text (and throws a notice on Undefined index: text in /vagrant/mediawiki/includes/import/WikiImporter.php on line 886).
My concern with the two-step transition idea is that some consumers may not update on a reliable schedule, or may not be able to do so easily. For instance, if people are using Special:Export on one wiki and Special:Import'ing those pages on another that's *not* a Wikimedia-hosted site, it's more likely to be an older version of MediaWiki.