Sat, Jun 22
The weekly security deployment window is 21:00–23:00 UTC. If it can wait until then (I'd guess it could?) @Reedy or I can deploy it.
@JJMC89 - Given how this was done and @Bawolff's note about it only being a temporary mitigation to be reverted after a week (back when it was implemented on December 29th, 2018), I believe fe72284c5920 should be reverted. As for changing wgAccountCreationThrottle from 6 to 10 - the rate of 6 has been in place for quite a long time, it seems: 015f5b7131ee. I have no idea what the wisdom was behind that change (long before my time), but IMO I'd think it better to be cautious and limit such a change to enwiki only, for now, if it were decided that a rate of 6 wasn't sufficient for the account creator rights discussion.
Fri, Jun 21
Apologies for the delay on a response to this issue. Due to an ongoing security incident , certain IP ranges continue to be restricted from accessing various Wikimedia development tools. We realize the incredible inconvenience this places upon legitimate Wikimedia developers affected by these restrictions, but we cannot provide a date by which these restrictions will be removed at this time. In the interim, we can offer a couple of workarounds:
@WMDE-leszek limited deployment on test.wikipedia.org of the Termbox service should be fine. Just out of curiosity, is there a more longterm deployment strategy and timeline for rolling out the Termbox service on anything outside of test/beta wikis and wikidata.org?
@Daimona @Jdforrester-WMF - apologies for the disappearing act from the Security-Team on this. @Bawolff and I have been working through some of the outstanding patch sets in Gerrit for the plugin and hope to make good progress on them this week and next. I'm optimistic we can have a proper 2.x release once that work is completed and have it ready for CI shortly after that. I'll plan to provide another update here next week.
Tue, Jun 18
@revi - I think you can just sign up with an email, google or github account here: https://wikimedia.zulipchat.com/register/. Once you have an account, we should set up a stewards/secteam channel and try to add everyone else.
Mon, Jun 17
Ok, thanks, @srishakatux!
@Aklapper - just registered one w/ my wikimedia.org email address.
@chasemp @revi @Aklapper - just FYI, we're still actively discussing this within the stewards/Security-Team conpherence chat. Could someone on the Security-Team get administrative access to Zulip so that we could set up a secure test chat there to evaluate as an alternative? Or can I file a bug for someone with Zulip admin access to do that? Right now, Zulip seems like it might be the most promising alternative for the stewards/Security-Team use case.
Thu, Jun 13
Wed, Jun 12
The Security-Team is fine with this from a conceptual point of view. I'm going to resolve this task for now in favor of the incoming MW REST API and Parsoid-PHP security review requests to be submitted by @EvanProdromou and @ssastry, respectively.
Tue, Jun 11
@WMDE-leszek, @RazShuty - update: @JBennett is currently reviewing the risk ownership and risk register entry for this project. We should have an update on how the Security-Team would like to proceed with this shortly. In the meantime, if this is blocking deployment or anything else, please let me know on-task. Thanks for your patience.
@Eevans - I'm not seeing anything for this particular review, though I might dig a little deeper into the code and attempt some dynamic-scanning this week, as mentioned in T219831#5173498. But none of this should block resolving the task or deployment IMO.