In T415902#11588966, @Catrope wrote:

In T415902#11573319, @Niharika wrote:

Thanks for looking into this. I tried to get a hold of the totals on superset but realized they scrub gu_email(makes sense) so I can only get count and timestamp of confirmed emails but not the unconfirmed ones.

If you have access to the stat boxes, you can get it from there:

catrope@catrope-ThinkPad-T16-Gen-1$ ssh stat1008.eqiad.wmnet
catrope@stat1008:~$ analytics-mysql centralauth
mysql:research@dbstore1008.eqiad.wmnet [centralauth]> select if(gu_email is null or gu_email = '', 'no', 'yes') as hasemail, count(*) from globaluser group by hasemail;
+----------+----------+
| hasemail | count(*) |
+----------+----------+
| no       | 19885382 |
| yes      | 62393788 |
+----------+----------+
2 rows in set (24.526 sec)

This sounds fine to me. I'll update the task.

Great, thanks! @mmartorana will work on this next week.

Thanks for the ping! We’re aware of the rollout timeline.

Security Review Summary - T399459 - 2026-01-23

In T415087#11539732, @Superpes15 wrote:

@mmartorana Ciò è dovuto al fatto che non tutto dell'estensione Email Auth era stato tradotto su translatewiki (mentre i numeri e le scadenze sono spesso già tradotte). Sto risolvendo io su translatewiki e con il prossimo aggiornamento, da settimana prossima, dovrebbe essere tutto in italiano. Anzi, se vuoi dare una mano, questo è il link :)

In T399459#11542535, @Ifrahkhanyaree_WMDE wrote:

thanks so much! quick clarification question - what's the difference between it being completed vs. the results being posted? Would it take another month until we can officially use it on production?

Hi @Ifrahkhanyaree_WMDE - apologies on behalf of the Security-Team. We’ve reprioritized this review and expect it to be completed by the end of this week.

Email from T404620#11504513 has been sent to various mailing lists:

• wikitech-l
• mediawiki-l
• mediawiki-announce

In T410560#11507544, @Daimona wrote:

In T410560#11506097, @Mstyles wrote:

@Daimona I redid the production patch so that it would apply. If you have time to merge it then I'll go ahead and request a CVE and add it to the supplemental release.

Merged. I suppose this means I can put the new patch from T410560#11497430 on gerrit once the release is out right?

Hi @Jdrewniak - to help us scope this review, could you clarify the expected deployment window more precisely ?

Hey cloud-services-team and @dcaro - this service has a known vulnerability. Since there are currently no mitigation steps and no identified code owner, the Security-Team strongly recommends shutting the service down.

Security Review Summary - T404751 - 2025-12-15
Last commit reviewed: d77fc0e

Given the scope, I think it seems reasonable to start with a simple lookup table that maps known AAGUIDs to readable device names (e.g. Google Password Manager, iCloud Keychain, YubiKey 5 Series, etc...). This can be either hardcoded at first, or stored in a small static file. I think that is a good starting point rather than some more complex approach for now.

Hey @Petrb - based on the codepath above this still looks like a plausible SQL injection vector. Could you confirm whether you plan to patch this upstream, or if there’s anything needed from our side to help move it forward?

Hey cloud-services-team - this looks like a potential vulnerability. What mitigation approach do you want to take?

I’ve restored access for @Snwachukwu to WMF-NDA

Since there hasn’t been any recent activity on this task, the Security-Team plans to close it soon due to inactivity.

I have added @SLopes-WMF to acl*security_management .

Hey @Miriam and @Snwachukwu - how are you?

Hi @jsn.sherman - I have granted access to acl*security_developer .

Security Review Summary - T355161 - 2025-09-09
Last commit reviewed: 1a70f4d

From a security perspective, this is safe to deploy.

Hey - I got access to zendesk yesterday, so this can be resolved.

From a security perspective, this seems reasonable as long as it’s paired with the usual safeguards: short-lived tokens, proper key rotation, minimal claims, and good client validation guidance. It’s a common pattern across the industry.

They all look good to me!

From a security perspective, we support moving forward with adopting CSP policies for these microsites.

Supplemental announcement is out!