Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.
User Details
- User Since
- Sep 12 2018, 3:52 PM (293 w, 11 h)
- Roles
- Administrator
- Availability
- Available
- IRC Nick
- sbassett
- LDAP User
- SBassett
- MediaWiki User
- SBassett (WMF) [ Global Accounts ]
Yesterday
Tue, Apr 23
Thu, Apr 18
Wed, Apr 17
@tchin - Has this project been discussed across the WMF/Community? Especially with SRE, who would need to support deployments of services that will use this new template? I'm just trying to understand what kind of consensus exists for this being the de facto replacement for service-runner. I know we don't really have a functioning tech-decision-forum or RFC process at the moment (AIUI) but this seems like something that would be a good candidate for wider review.
Tue, Apr 16
We could likely still do a quick scan of the repo just to make sure there aren't any vulnerable dependencies, secret leaks or obvious issues from static analysis. The only other concern I might have is that the $wgNetworkSessionProviderUsers config obviously needs to be kept in a private repository or config somewhere (PrivateSettings.php, etc.)
Mon, Apr 15
Confirmed user has Phab MFA enabled:
Fri, Apr 12
Thu, Apr 11
This is done and has been reported via an internal Google sheet.
Hey @kostajh - Just wanted to check in and see if ext:IPReputation is ready for review or if you're planning any large, meaningful development cycles soon (and I should wait a bit). Thanks.
Wed, Apr 10
Tue, Apr 9
Mon, Apr 8
Fri, Apr 5
From a mostly AppSec perspective, I'd vote for CycloneDX. It's supported by the org I'm most familiar with (OWASP) and the tooling is far more robust, at least for now. Would it be a big deal for AppSec interests if we went with SPDX? Probably not, so I'd definitely need to qualify this as more of a light preference.
Thu, Apr 4
I'd like to add more tests, but the basic cli is done now.
Wed, Apr 3
Tue, Apr 2
Since this skin isn't deployed or bundled, the vulnerability (and hopefully merged patch) will be (re)announced via the next supplemental security release: T361321.
Since this skin isn't deployed or bundled, the proposed patch can go through gerrit at any time. It will be (re)announced via the next supplemental security release: T361321.
@elukey @Ladsgroup - Sounds like we can make this public now?