Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.
User Details
- User Since
- Sep 12 2018, 3:52 PM (306 w, 2 d)
- Roles
- Administrator
- Availability
- Available
- IRC Nick
- sbassett
- LDAP User
- SBassett
- MediaWiki User
- SBassett (WMF) [ Global Accounts ]
Yesterday
Just quickly running semgrep supply-chain against these codebases, it found that wikimedia/service-runner@master had two dependency vulnerabilities with undetermined reachability and that wikimedia/service-template-node@master had two dependency vulnerabilities with undetermined reachability and one with confirmed reachability.
I'd also note that the Vega dependency was the primary reason we disabled ext:Graph (twice). And that while Vega's expressions layer has since been hardened, it likely still poses more risk for our use-cases than other options.
Thu, Jul 25
@aude service-template-node is indeed quite dated and fairly unmaintained. And it would be difficult to recommend it for new projects, from a security perspective. Sadly, I don't think there has been consensus on a replacement option. It would be nice to consolidate around something as having a dozen new frameworks that essentially do the same thing is not ideal. You might want to reach out to @tchin as they have been working on at least one replacement option (T360924, T362774, et al).
Wed, Jul 24
Hey @Tgr - I'd like to set up an initial threat-modeling/concept-review session (or two) for this work with you and any other relevant folks, this quarter. Are there any other technical folks that you're aware of who would likely be helpful during or interested in participating in such exercises? Thanks.
I've confirmed this user has Phab MFA enabled:
Tue, Jul 23
Mon, Jul 22
Fri, Jul 19
Hey all - just back from jury duty. I don't have any major concerns with this and am inclined to rate it a low risk, unless @acooper has any additional concerns.
One minor note about this release: T363773#9971646
Anything here preventing this task from being made public? I'm not seeing anything but wanted to double-check.
Hey @mpopov - per the minutes from our recent quarterly review planning session, @acooper was going to follow up on this and a couple other review requests as it relates to acceptance and scheduling.
I assume we can make this task public now, since the fixes were handled publicly in gerrit and are now merged? This issue will be reannounced within the next supplemental security release, due out around September 30th, 2024.
@Mstyles - I'd like to attend the meeting if it works with my schedule. Can you send me an invite?
Tue, Jul 16
Wed, Jul 3
Tue, Jul 2
Mon, Jul 1
Fri, Jun 28
Write-up of some of this quarter's work is here: T335892#9936225
Hey all -
I've gone ahead and made T366554 public as, at worst, I think it's a low-risk issue.
Thu, Jun 27
Jun 26 2024
Jun 25 2024
Jun 24 2024
Example of a template keeping track of cumulative bash error codes: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/7102fe1332c371f52d5e0800701d60a81a7e104c/php-security-checker/php-security-checker-ci.yml#L24-L70
@Chocapikk1337 - you've now been added to our hall of fame: https://security.wikimedia.org/hall-of-fame/
Stalled on completion date. If that's not proper, we can set the status to something else. The Security-Team also has a calendar invite set for this next year.
Jun 21 2024
Jun 20 2024
Jun 17 2024
Security Review Summary - T360070 - 2024-06-17
Last commit reviewed: be78eb0148
For active, I was just meaning "not archived", per gerrit's definition.
Jun 14 2024
Quick update on this: I plan to post the review next Monday or Tuesday (2024-06-16 or 2024-06-18). I haven't really found anything concerning at all.
Ok, if we can keep it simple but all-encompassing, then I'd probably go with something like: "Any active code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org or github.com/wikimedia that is not a fork of an upstream project or otherwise unmaintained by the WMF or Wikimedia Community".
At the very least I think we'd also want to include MediaWiki skins (as opposed to just extensions) since WMF folks are largely the maintainers of Vector et al. Personally, I think we'd also want to include things like the various Wikimedia microservices that support some production-deployed MediaWiki extensions, etc. as we are pretty much the sole maintainers of those. Beyond that, we do write a lot of additional, proprietary Wikimedia code (SRE, Data Engineering, etc.) but we've never traditionally requested many CVEs for many of those codebases, so maybe we aren't worried about those as much. I'd also prefer to at least have the ability to issue CVEs for non-Wikimedia-deployed extensions and skins, as many of those comprise the quarterly supplemental security releases that we still manage.