Jun 25 2021
For context, the privacy engineering audit regarding the wiki-replicas is part of a body of work that is being done internally by the Security team. But I concur that a parent public ticket would have made sense too. I’ll keep that in mind moving forward.
Jun 14 2021
May 12 2021
I had the chance to sync directly with @Varnent who's in charge of those platforms, and I surfaced the solutions proposed above. So far, applying the CSP change at the Nginx server level on WordPress VIP does not seem to be an option. Instead, disabling Twemoji.js through a WordPress plugin would be the applicable solution. The Security-Team is supportive of this approach, which was suggested earlier in this thread and has already been used on the techblog (Cf: 4447d8f).
May 4 2021
Apr 26 2021
Apr 23 2021
Apr 19 2021
I would be grateful if you clarify what you are requesting/ expecting. Are you suggesting that those gadgets be taken down or that their authors be required to draft an on-wiki heads-up, for instance on the widget's talk page? Or is it totally something else you're asking for?
Apr 15 2021
Apr 9 2021
Originally I was interested in having the risk rating field being added to New Task. However, while looking at the tickets your referenced, I could see that the Security Type Advanced form (73) already has the Security rating field, although it seems to be locked at the moment.
Apr 8 2021
Apr 6 2021
I completed a prototype with basic filtering options. For now, one can filter by project (tag), year when the ticket was created, and severity. The code base is available at https://github.com/samuelguebo/vm-dashboard. It's public for now since there are no credentials or sensitive data there but I'm glad to make it private if there are any objections.
Apr 2 2021
Thanks @Reedy, I intend to use the Phabricator's Python library since it's pretty straightforward.
I guess I can grab the token with you once you've gotten the chance to create it.
For now, I think we can make this public. If it becomes necessary to include sensitive data here, directly within the task, we can always protect it again.
Thanks for chiming in.
Some initial tests with Conduit enpoints
Pulling the Phabricator ID (PHID) of all tags starting with the Vuln- keyword:
curl https://phabricator.wikimedia.org/api/project.search \ -d api.token=api-token \ -d constraints[name]=Vuln-
Mar 9 2021
Mar 8 2021
Hey @sbassett, thanks for creating this and having checked a bunch of boxes already.
- I think I still need to ping a Phab admin to add me to acl*security_team.
- I wasn't sure about the Deployment & stats private data part, since per https://github.com/wikimedia/puppet/blob/5dca2a73bba83ad469a20cc38e0d0c15761befa3/modules/admin/data/data.yaml it seems I am already within the analytics_privatedata_users and deployment groups — restricted being a subset of deployment.
- I'll figure out how to enable the word highlighting for my IRC client (Limechat)
Nov 18 2020
Nov 5 2020
Oct 6 2020
Sep 25 2020
Handled through ca@
Jul 27 2020
Thanks again for the patch. While he can access the stats server (stat1005.eqiad.wmnet), Nahid is not able to access the maintenance server.
Jul 24 2020
2FA is now removed from the account User:Nabin K. Sapkota
Jul 6 2020
Jul 3 2020
Jul 2 2020
Jun 30 2020
Jun 11 2020
No worries, @elukey. Many thanks for your assistance!
May 29 2020
Feb 18 2020
Feb 11 2020
Dec 17 2019
Sep 20 2019
Sep 19 2019
Hey @Pchelolo, do we know whether the patch might be merged soon? Thanks for the work there.
Aug 29 2019
Jul 26 2019
Apr 11 2019
Mar 4 2019
@Aklapper: Yes, I realized it shortly after my previous comment. I handled it myself. Sorry for the confusion :)
Dec 20 2018
Thanks very much for your invaluable support, @Quiddity!
Nov 7 2018
Aug 31 2018
Hi @ArielGlenn, the access works just fine. Thanks!
Aug 22 2018
Hi @RobH, I hereby confirm that I am the one who generated the key below: