Page MenuHomePhabricator

tstarling (Tim Starling)
UserAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Oct 15 2014, 8:27 PM (314 w, 1 d)
Roles
Administrator
Availability
Available
LDAP User
Tim Starling
MediaWiki User
Tim Starling (WMF) [ Global Accounts ]

Recent Activity

Wed, Oct 21

tstarling moved T239742: Should npm packages maintained by Wikimedia be scoped or unscoped? from Inbox to Watching on the TechCom board.
Wed, Oct 21, 8:09 PM · TechCom, Platform Engineering (Icebox), Readers-Web-Backlog (Tracking), Release-Engineering-Team-TODO, Front-end-Standards-Group, Product-Infrastructure-Team-Backlog

Tue, Oct 20

tstarling added a comment to T253673: Avoid php-opcache corruption in WMF production.

My idea for detection/prevention of opcache corruption is to use a memory protection key to do essentially what opcache.protect_memory=1 does, but fast enough for it to be always enabled in production.

Tue, Oct 20, 10:51 PM · User-jijiki, Patch-For-Review, Sustainability (Incident Followup), Performance-Team, serviceops
tstarling added a comment to T263437: Allow easier ICU transitions in MediaWiki.

We could use Shellbox RPC (plus a cache) to provide the sort key from a different version of PHP/ICU. That would make the T37378 approach more feasible. MediaWiki would write both collations on edit/refreshlinks, and there would also be a script running writing the same thing.

Tue, Oct 20, 4:55 AM · Platform Engineering, MediaWiki-General, Operations
tstarling added a comment to T263437: Allow easier ICU transitions in MediaWiki.

The way it worked in T37378 was to include cl_collation in the primary key. So the data in the table was duplicated, but with cl_sortkey depending on cl_collation. I think it would have worked, it's just that the ball was dropped during code review. The catch with this is that LinksUpdate will drop rows for collations it doesn't know about. The work of the script would be partially undone by edits between the start of the script execution and the PHP version switch. We would either have to put up with that, or have a special-case hack in LinksUpdate::doIncrementalUpdate(), or PHP would have to be linked against multiple versions of ICU so that MediaWiki can insert rows for all collation versions simultaneously.

Tue, Oct 20, 4:30 AM · Platform Engineering, MediaWiki-General, Operations

Thu, Oct 15

tstarling added a comment to T263816: Provide direct access to a Guzzle HTTP client.

I should note that I haven't actually tested and confirmed correct streaming behaviour in Guzzle, but I'm pretty sure it will work, based on the code and docs.

Thu, Oct 15, 9:24 PM · Patch-For-Review, Platform Team Workboards (Clinic Duty Team), MediaWiki-libs-HTTP, MW-on-K8s

Mon, Oct 12

tstarling added a comment to T265164: Evaluate usage of MediaWiki-Vagrant by technical contributors.

I responded "I tried it but it never worked well", which is not exactly right. I know that different people have different needs and goals for a development environment and I don't mean to criticize Vagrant. I just prefer things to be lightweight and simple. I have a single systemd-nspawn container running all relevant services, which I administer directly. If I want to configure Apache, I just edit the Apache configuration files. That works for me.

Mon, Oct 12, 4:45 AM · User-bd808, MediaWiki-Vagrant

Tue, Oct 6

tstarling added a comment to T263816: Provide direct access to a Guzzle HTTP client.

The reason it needs a GuzzleHttp\Client not a GuzzleHttpRequest is, as I said in the task description, because it needs response streaming. The WIP patch is already using a GuzzleHttpRequest, but GuzzleHttpRequest finishes reading the response before it returns. It can take a write callback, but control is inverted compared to Guzzle which allows the caller to pull from the response stream. The multipart reader I wrote assumes this control direction, which is convenient and consistent with PSR-7.

Tue, Oct 6, 1:11 AM · Patch-For-Review, Platform Team Workboards (Clinic Duty Team), MediaWiki-libs-HTTP, MW-on-K8s

Sat, Sep 26

tstarling updated subscribers of T260827: Investigate/trace rebuildLocalisationCache process for MW containerization.

MessageBlobStore was @Catrope's work, he added this feature to rebuildLocalisationCache in 2010, so he can probably explain better than I can.

Sat, Sep 26, 1:40 AM · Release-Engineering-Team-TODO (2020-10-01 to 2020-12-31 (Q2)), Release-Engineering-Team (Pipeline)

Fri, Sep 25

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

I uploaded the Score changes to give you an idea of what a moderately complex caller looks like in practice. It's lightly tested but seems to work for me.

Fri, Sep 25, 6:32 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling added a project to T263816: Provide direct access to a Guzzle HTTP client: Platform Engineering.
Fri, Sep 25, 12:14 AM · Patch-For-Review, Platform Team Workboards (Clinic Duty Team), MediaWiki-libs-HTTP, MW-on-K8s
tstarling created T263816: Provide direct access to a Guzzle HTTP client.
Fri, Sep 25, 12:14 AM · Patch-For-Review, Platform Team Workboards (Clinic Duty Team), MediaWiki-libs-HTTP, MW-on-K8s

Thu, Sep 24

tstarling updated the task description for T260330: RFC: PHP microservice for containerized shell execution.
Thu, Sep 24, 11:56 PM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Wed, Sep 23

tstarling removed a project from T263129: Memory leak in luasandbox during Lua table to PHP array data conversion: Contributors-Team.

I reviewed it. I'll untag Contributors-Team since I don't think there's anyone there who can help with this. The maintainer column for Scribunto is closer to the actual list of people who can review this kind of change. Once it is merged, I'll tag some people for help with the Debian release. I'll also need to release it to PECL, I'm the only maintainer there.

Wed, Sep 23, 10:39 PM · LuaSandbox

Sep 23 2020

tstarling updated subscribers of T263545: Decide on logging in k8s for ShellBox.

@Joe says that application logs can go to logstash while php-fpm error logs will go to k8s. I want to say that the simplest way to send application logs to logstash is to use the logToClient option, which serializes log entries and sends them back to MediaWiki. This way, the configuration stays the same, and we don't need to port MediaWiki's custom logstash formatter. You lose log messages generated after the response is sent, but currently that's just temporary directory teardown failures which probably don't matter. For php-fpm error logs, we can start it with "php-fpm -F 2>&1", then logs go to php-fpm's stderr which is redirected to k8s's stdout.

Sep 23 2020, 8:32 AM · MW-on-K8s, serviceops, Operations
tstarling removed a project from T263545: Decide on logging in k8s for ShellBox: TechCom-RFC.
Sep 23 2020, 1:46 AM · MW-on-K8s, serviceops, Operations
tstarling added a comment to T263545: Decide on logging in k8s for ShellBox.

https://pracucci.com/php-on-kubernetes-application-logging-via-unix-pipe.html provides two options for how php-fit could be set up to get the logs from worker processes.

Sep 23 2020, 12:11 AM · MW-on-K8s, serviceops, Operations

Sep 18 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

I didn't see any shell pipelines in your caller survey and can't think of any off hand - is this a usecase we need to support?

Sep 18 2020, 12:38 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Sep 17 2020

tstarling added a comment to T100106: Replace Kaltura player with Video.js.

One possible solution is for Score to drop TMH support. Instead we can just play an MP3 directly with <audio controls>.

Sep 17 2020, 6:45 AM · MW-1.36-notes (1.36.0-wmf.11; 2020-09-29), Patch-For-Review, VideoJS player, Performance-Team (Radar), MW-1.34-notes (1.34.0-wmf.13; 2019-07-09), Epic, Multimedia, Wikimedia-Video, Wikimedia-Hackathon-2015
tstarling added a comment to T100106: Replace Kaltura player with Video.js.

The Score extension is broken by this change in multiple ways. It shows a fake player off to the right of the score (T226910), which gives a JS fatal error when clicked. If I set the file option to a fake file and wrap the output in a div, it kind of works, but a 500x350 popup obscuring the document is not appropriate for this use case. Obscuring the score while playing the audio defeats the purpose.

Sep 17 2020, 6:22 AM · MW-1.36-notes (1.36.0-wmf.11; 2020-09-29), Patch-For-Review, VideoJS player, Performance-Team (Radar), MW-1.34-notes (1.34.0-wmf.13; 2019-07-09), Epic, Multimedia, Wikimedia-Video, Wikimedia-Hackathon-2015
tstarling added a comment to T49799: Scribunto should allow coroutines in Lua.

I would accept a contributed review if it looks rigorous. I'm just looking for someone to read the source and comment on potential vulnerabilities. For example:

Sep 17 2020, 4:27 AM · Patch-For-Review, MediaWiki-extensions-Scribunto
tstarling added a comment to T49799: Scribunto should allow coroutines in Lua.

If the point is just to enable the coroutine module then the proposed change seems unnecessarily complex. As far as I'm concerned, coroutine can be enabled if it passes a security review. If it can't pass a security review, allowing users to enable it via php.ini seems imprudent. If it can pass a security review, then it can be enabled everywhere.

Sep 17 2020, 2:55 AM · Patch-For-Review, MediaWiki-extensions-Scribunto

Sep 16 2020

tstarling added a comment to T262900: Rebuilding l10n cache fails for train.

Reproduced locally and confirmed the fix by faking part of the call stack:

Sep 16 2020, 5:05 AM · MW-1.35-notes, MW-1.34-notes, Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Platform Team Workboards (Clinic Duty Team), User-brennen, MediaWiki-extensions-Gadgets, Wikimedia-production-error
tstarling added a comment to T262900: Rebuilding l10n cache fails for train.

This is very similar to T231866. The fix for that bug was committed in December 2019 https://gerrit.wikimedia.org/r/c/mediawiki/core/+/553170 . But that fixed the code in ServiceWiring.php without fixing the duplicated code in rebuildLocalisationCache.php. So I will apply the same fix to rebuildLocalisationCache.php.

Sep 16 2020, 4:48 AM · MW-1.35-notes, MW-1.34-notes, Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Platform Team Workboards (Clinic Duty Team), User-brennen, MediaWiki-extensions-Gadgets, Wikimedia-production-error
tstarling added a comment to T262900: Rebuilding l10n cache fails for train.

I was able to reproduce it by first erasing the gadgets-definition cache:

Sep 16 2020, 4:33 AM · MW-1.35-notes, MW-1.34-notes, Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Platform Team Workboards (Clinic Duty Team), User-brennen, MediaWiki-extensions-Gadgets, Wikimedia-production-error
tstarling added a comment to T262900: Rebuilding l10n cache fails for train.

I tried to reproduce this on mwdeploy1001 but it didn't work. I changed /srv/mediawiki/wikiversions.php and then ran

Sep 16 2020, 4:22 AM · MW-1.35-notes, MW-1.34-notes, Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Platform Team Workboards (Clinic Duty Team), User-brennen, MediaWiki-extensions-Gadgets, Wikimedia-production-error

Sep 14 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

An open question is what to do about shell pipelines. Currently if you do Shell::command()->unsafeParams('foo|bar') then foo will run under firejail and bar will run unsandboxed. Maybe that's accidental? We could do firejail sh -c "foo|bar" but that doesn't work with NO_EXEC. We could parse the command line and disallow pipelines and lists in BoxedCommand, but that would probably lead to non-portable code as people set up their own shell wrappers. Or we could parse the command line and run each component separately under firejail, but that's the most work, and I'm not sure if anything really needs it. Or we could leave it as it is.

Sep 14 2020, 12:41 PM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Sep 10 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

Regarding restrictions again. I'm not a big fan of Firejail after my recent code review and bug reports, so I'm looking at the restriction options with a view to making them independent of the sandboxing system. Shell::SECCOMP is awkward in this respect since it disables a firejail-specific set of syscalls. It also also implies no_new_privs, disabling setuid-root executables, which seems like it should be a separate option.

Sep 10 2020, 2:19 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

Note that Shellbox depends on monolog and core will depend on shellbox, so this will make core indirectly depend on monolog. In core at the moment, monolog is optional (although it's a dev dependency). I think loose integration between core's LoggerFactory and monolog is the source of a lot of nuisances, so I'm happy to add it as a core dependency, as part of a plan to more tightly integrate core's logging with monolog in future. Monolog is fairly large (6 kloc) but doesn't have any secondary dependencies.

Sep 10 2020, 12:44 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Sep 9 2020

tstarling moved T260330: RFC: PHP microservice for containerized shell execution from P1: Define to P4: Tune on the TechCom-RFC board.
Sep 9 2020, 8:59 PM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling added a comment to T262364: Firejail fails due to blacklist of /run.

I figured out a workaround, patch will be up shortly.

Sep 9 2020, 2:31 AM · MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.11; 2020-09-29), MediaWiki-Shell
tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

One outstanding question is what to do about the restrictions bitfield. In production, firejail will be disabled and restrictions will be ignored. But in other situations, presumably some effort should be made to respect them. Obviously NO_LOCALSETTINGS doesn't make sense, so the new wrapper in MediaWiki will respond to that by adding LocalSettings.php to a blacklist array.

Sep 9 2020, 2:12 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling created T262364: Firejail fails due to blacklist of /run.
Sep 9 2020, 1:23 AM · MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.11; 2020-09-29), MediaWiki-Shell

Sep 2 2020

tstarling added a comment to T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827).

Copying a comment by @Krinkle from Gerrit:

Wiki farms may have multiple realms of users. As is the case at WMF. This would cause non-CA users to share limits with unrelated users. Auto manager and User have primitives we should use for this. Maybe central user id.

I'm not familiar with the primitives Krinkle is referring to, but central user ID would be possible if we introduced a hook into core that allowed an extension to replace the main user name with something more reliable to use as a global identity to represent the user. Though for the special case of login, I'm somewhat reluctant to tie anything to a user ID, since no user has been authenticated yet.

On the patch, I replied that I believe "global per name" semantics is good enough, even though it's not perfect. I'll see if I can come up with a hook that would move it closer to perfect.

Sep 2 2020, 4:38 AM · MW-1.36-notes (1.36.0-wmf.8; 2020-09-08), Platform Team Workboards (Clinic Duty Team), MediaWiki-extensions-OATHAuth, MediaWiki-Authentication-and-authorization, Security, Security-Team

Aug 28 2020

tstarling updated the task description for T260330: RFC: PHP microservice for containerized shell execution.
Aug 28 2020, 5:19 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 27 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

Task description edit:

  • Changed the file API again as discussed
  • Stopped describing BoxedCommand as a subclass of Command and explained why that doesn't quite work.
  • Proposed passing $this to Executor since passing each variable as a separate formal parameter is tedious and harder to maintain. We can just have accessors in BoxedCommand.
  • Mentioned the PHP call endpoint.
Aug 27 2020, 1:07 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling created T261369: Deployment infrastructure for PHP microservices.
Aug 27 2020, 1:03 AM · MW-on-K8s, Release-Engineering-Team (Pipeline), Release Pipeline (Blubber), serviceops, Operations
tstarling renamed T260330: RFC: PHP microservice for containerized shell execution from PHP microservice for containerized shell execution to RFC: PHP microservice for containerized shell execution.
Aug 27 2020, 12:56 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 26 2020

tstarling added a comment to T199989: Pygmentize times out on Windows.

The solution used in Phabricator, which I found via https://secure.phabricator.com/T11105 , is to redirect stdout and stderr to temporary files.

Aug 26 2020, 11:06 AM · SyntaxHighlight
tstarling added a comment to T199989: Pygmentize times out on Windows.

I can reproduce this in eval.php using echo_333333_stars.php from https://gerrit.wikimedia.org/r/c/mediawiki/core/+/471885/ . The problem is that stream_select() returns 3, with all pipes supposedly ready, but they're not really ready. Reading from stdout will give you as many bytes as you ask for, but reading from stderr blocks forever. If you fully drain stdout, then reading from stderr gives you an empty string instead of blocking.

Aug 26 2020, 6:33 AM · SyntaxHighlight

Aug 25 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

Has anyone got an idea for giving the HMAC key to the server without allowing the command to have access to it? Otherwise an attacker can use a command to exfiltrate the key and then spoof requests. If it's not possible, maybe we should think about asymmetric encryption.

Aug 25 2020, 4:37 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 24 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

OK, I'm adding PHP execution to the service.

Am I correct to assume that the PHP execution mode will just be a shorthand for something like php -r 'echo "Hello";'?

Aug 24 2020, 11:21 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
Ltrlg awarded T214998: RFC: Remove .m. subdomain, serve mobile and desktop variants through the same URL a Love token.
Aug 24 2020, 10:34 AM · MobileFrontend (Tracking), TechCom-RFC, Readers-Web-Backlog (Tracking), Traffic, Operations

Aug 23 2020

Majavah awarded T214998: RFC: Remove .m. subdomain, serve mobile and desktop variants through the same URL a Like token.
Aug 23 2020, 6:48 PM · MobileFrontend (Tracking), TechCom-RFC, Readers-Web-Backlog (Tracking), Traffic, Operations
Mobiledesktop awarded T214998: RFC: Remove .m. subdomain, serve mobile and desktop variants through the same URL a Like token.
Aug 23 2020, 6:46 PM · MobileFrontend (Tracking), TechCom-RFC, Readers-Web-Backlog (Tracking), Traffic, Operations
Mobiledesktop awarded T214998: RFC: Remove .m. subdomain, serve mobile and desktop variants through the same URL a Like token.
Aug 23 2020, 6:45 PM · MobileFrontend (Tracking), TechCom-RFC, Readers-Web-Backlog (Tracking), Traffic, Operations

Aug 21 2020

Daimona awarded T6845: CAPTCHA doesn't work for people with visual impairments a Love token.
Aug 21 2020, 12:03 PM · Security, ConfirmEdit (CAPTCHA extension), Accessibility, Design, WCAG-Level-A
tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

I'm reconsidering the layout abstraction I had planned, with inputs/ and outputs/ subdirectories under the working directory. It's simpler to allow slashes in filenames and to allow files to go anywhere under the working directory. So you could have

Aug 21 2020, 6:36 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling updated the task description for T260330: RFC: PHP microservice for containerized shell execution.
Aug 21 2020, 6:21 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling added a comment to T240884: RFC: How to evaluate user-provided regular expressions.

OK, I'm adding PHP execution to the service.

Aug 21 2020, 5:32 AM · User-Addshore, TechCom-RFC, Wikidata
tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.
  • The service will be executed as user nobody
Aug 21 2020, 2:18 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 20 2020

tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

From what I understand, the service will run inside the sandbox, and eval() can be done in this service with relative safety. I planned on having eval() in there for another reason: I'm considering allowing callers to subclass BoxedCommand. However @Joe was not a fan of this idea. We won't be providing a full MediaWiki install inside the sandbox, with autoloading, so there is a risk of development and production instances working differently if the default in development will be local in-process execution.

Aug 20 2020, 7:06 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling added a comment to T206957: /usr/bin/timeout causing ffmpeg to hang indefinitely when running video transcoding jobs.

I was able to reproduce this. It stops with SIGTTOU when it calls tcsetattr() on stdin. gdb identifies the caller:

Aug 20 2020, 5:32 AM · MW-1.36-notes (1.36.0-wmf.10; 2020-09-22), Patch-For-Review, TimedMediaHandler-Transcode, MediaWiki-Shell

Aug 19 2020

Addshore awarded T260330: RFC: PHP microservice for containerized shell execution a Like token.
Aug 19 2020, 3:05 PM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling added a comment to T240884: RFC: How to evaluate user-provided regular expressions.

I wonder if T260330: RFC: PHP microservice for containerized shell execution could be used for this? (That task is apparently now in progress.)

Aug 19 2020, 2:43 PM · User-Addshore, TechCom-RFC, Wikidata
tstarling added a comment to T260330: RFC: PHP microservice for containerized shell execution.

Then, if the command execution exceeds the value set with setTimeLimit(), the command execution is halted and $result is set to an error code so the caller knows the result is due to the time limit being exceeded.

Aug 19 2020, 12:57 PM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
Krinkle awarded T260504: Get rid of remaining non-Thumbor MediaWiki image scaling in WMF production a Orange Medal token.
Aug 19 2020, 1:19 AM · Performance-Team (Radar), Platform Engineering, Thumbor
tstarling updated the task description for T260330: RFC: PHP microservice for containerized shell execution.
Aug 19 2020, 12:37 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 18 2020

tstarling claimed T260330: RFC: PHP microservice for containerized shell execution.

Assigning to myself since implementation work is underway.

Aug 18 2020, 10:30 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations
tstarling raised the priority of T260330: RFC: PHP microservice for containerized shell execution from Medium to Needs Triage.
Aug 18 2020, 10:27 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 17 2020

tstarling closed T250248: Fast stale ParserCache responses on PoolCounter contention as Resolved.
Aug 17 2020, 10:03 PM · Platform Team Sprints Board (Sprint 1), Patch-For-Review, MW-1.35-notes (1.35.0-wmf.36; 2020-06-09), Platform Team Workboards (Clinic Duty Team), MediaWiki-Parser
tstarling created T260504: Get rid of remaining non-Thumbor MediaWiki image scaling in WMF production.
Aug 17 2020, 12:28 AM · Performance-Team (Radar), Platform Engineering, Thumbor

Aug 16 2020

tstarling added a comment to T214021: Enable uploads for LilyPond (.ly) and ABC (.abc) files on Commons.

Download of .ly files should not be allowed unless there is a change in security policy from the LilyPond developers. LilyPond files trivially allow arbitrary execution when they are rendered by end users. Safe mode is supposed to prevent that, but it is not the default and is not recommended in the manual. In conversations relating to the recently discovered safe mode escape vulnerabilities (T258547, T259210, T260225), the developers stated that safe mode escape vulnerabilities are unsurprising, and that they consider that only OS-level containerization to be sufficient. But this level of isolation is beyond the abilities of ordinary end users.

Aug 16 2020, 11:35 PM · MediaWiki-extensions-Score, Commons

Aug 14 2020

tstarling added a comment to T136603: Update limit.sh to support systemd-based cgroup management.

MemoryLimit is now a deprecated property. The documentation in stretch and buster recommends using MemoryHigh, which causes processes to be "heavily slowed down and memory is taken away aggressively", and MemoryMax, which invokes the oom-killer.

Aug 14 2020, 2:04 AM · MediaWiki-Shell, Operations

Aug 13 2020

tstarling added a comment to T259518: Decide how JOIN tables should be mentioned in IDatabase::select().

It's simpler to require the table to be in $table. The table name in $join_conds is really just the alias, i.e. the key in the $table array. There's no other place to put the actual table expression besides $table. If everyone just used SelectQueryBuilder, there would be no problem: it doesn't have this ambiguity.

Aug 13 2020, 9:15 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Workboards (Clinic Duty Team), Wikimedia-Rdbms
tstarling created T260330: RFC: PHP microservice for containerized shell execution.
Aug 13 2020, 7:38 AM · MW-on-K8s, Patch-For-Review, TechCom-RFC, serviceops, Operations

Aug 12 2020

tstarling added a comment to T243462: Archive the FormPreloadPostCache extension.

I think it was an idea for solving a fundraising-related problem. They were using $wgRawHtml for delivering PayPal donation forms at the time. The first three commits show that it was a single day of work for me in 2007, but glaring bugs prove that it was never deployed. It can be archived.

Aug 12 2020, 11:21 PM · Patch-For-Review, User-Kizule, translatewiki.net, MediaWiki-extensions-Other, Wikimedia-GitHub, Diffusion-Repository-Administrators, Projects-Cleanup

Aug 11 2020

tstarling added a comment to T258851: New hook system not compatible with how the web installer expects LoadExtensionSchemaUpdates to work.

How about an option to HookContainer::run() that prevents a hook handler from having service dependencies? I'll submit a WIP patch along these lines.

Sounds good to me. Do you think you could do that in time for backporting to 1.35? I'll implement the web installer part then.

Aug 11 2020, 4:35 AM · MW-1.36-notes (1.36.0-wmf.10; 2020-09-22), MediaWiki-Installer, MediaWiki-Core-Hooks

Aug 10 2020

tstarling added a comment to T258851: New hook system not compatible with how the web installer expects LoadExtensionSchemaUpdates to work.

Of course, I would also support T258852. I just don't like the idea of a hook that only works with the old hooks system.

Aug 10 2020, 5:33 AM · MW-1.36-notes (1.36.0-wmf.10; 2020-09-22), MediaWiki-Installer, MediaWiki-Core-Hooks
tstarling closed T255842: Restoring default settings is not working in all wikis as Resolved.
Aug 10 2020, 4:09 AM · MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.4; 2020-08-11), Platform Team Workboards (Clinic Duty Team), Contributors-Team, Tech-Ambassadors, Beta-Cluster-reproducible, Regression, MediaWiki-User-preferences
tstarling added a comment to T258851: New hook system not compatible with how the web installer expects LoadExtensionSchemaUpdates to work.

How about an option to HookContainer::run() that prevents a hook handler from having service dependencies? I'll submit a WIP patch along these lines.

Aug 10 2020, 12:23 AM · MW-1.36-notes (1.36.0-wmf.10; 2020-09-22), MediaWiki-Installer, MediaWiki-Core-Hooks

Aug 6 2020

aaron awarded T250248: Fast stale ParserCache responses on PoolCounter contention a Yellow Medal token.
Aug 6 2020, 10:01 PM · Platform Team Sprints Board (Sprint 1), Patch-For-Review, MW-1.35-notes (1.35.0-wmf.36; 2020-06-09), Platform Team Workboards (Clinic Duty Team), MediaWiki-Parser
tstarling added a comment to T250248: Fast stale ParserCache responses on PoolCounter contention.

I was able to confirm the expected behaviour using a script that waits until a specified time before beginning a request.

Aug 6 2020, 3:08 AM · Platform Team Sprints Board (Sprint 1), Patch-For-Review, MW-1.35-notes (1.35.0-wmf.36; 2020-06-09), Platform Team Workboards (Clinic Duty Team), MediaWiki-Parser
tstarling created P12178 T250248-inject.php.
Aug 6 2020, 2:31 AM

Aug 5 2020

tstarling added a comment to T257066: Extension:Score / Lilypond is disabled on all wikis.

We still can't announce anything since we're waiting for vendor security releases. Third party sites should leave lilypond execution disabled.

Aug 5 2020, 11:05 PM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations

Aug 4 2020

tstarling closed T257066: Extension:Score / Lilypond is disabled on all wikis as Resolved.
Aug 4 2020, 8:39 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations
tstarling closed Restricted Task, a subtask of T257066: Extension:Score / Lilypond is disabled on all wikis, as Resolved.
Aug 4 2020, 8:39 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations

Jul 31 2020

tstarling reopened T257066: Extension:Score / Lilypond is disabled on all wikis as "Open".

It's disabled again, since I found a new vulnerability.

Jul 31 2020, 12:49 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations
tstarling reopened Restricted Task, a subtask of T257066: Extension:Score / Lilypond is disabled on all wikis, as Open.
Jul 31 2020, 12:48 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations

Jul 30 2020

tstarling added a comment to T257066: Extension:Score / Lilypond is disabled on all wikis.

Will there be any disclosure of the issue so 3rd party sites that followed suit in disabling it know what's safe?

Jul 30 2020, 7:08 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations

Jul 29 2020

tstarling closed T257066: Extension:Score / Lilypond is disabled on all wikis as Resolved.
Jul 29 2020, 11:49 PM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations
hashar awarded T230861: PHP 7.2 is very slow on an allocation-intensive benchmark a Love token.
Jul 29 2020, 5:32 PM · PHP 7.3 support, PHP 7.2 support, serviceops, Operations
tstarling reopened T161293: Paper format with Score extension in Wikipedia is A4 only as "Open".
Jul 29 2020, 3:47 AM · User-Ryasmeen, VisualEditor, MediaWiki-extensions-Score
tstarling added a comment to T257278: Command::restrict( Shell::RESTRICT_NONE ) doesn't actually work.

Ideally I think it would be called restrictions(), following the convention that chaining mutators take the name of the thing they are mutating. But the fact that there are already callers expecting this behaviour makes the proposed patch good enough for me.

Jul 29 2020, 3:16 AM · MW-1.34-notes, MW-1.31-release-notes, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.3; 2020-08-04), Platform Engineering, MediaWiki-Shell
tstarling added a comment to T60526: Score: Colors names (e.g. #red) are not recognized.

I submitted the merge request https://gitlab.com/lilypond/lilypond/-/merge_requests/285 for this.

Jul 29 2020, 3:09 AM · MediaWiki-extensions-Score
tstarling reopened T60526: Score: Colors names (e.g. #red) are not recognized as "Open".
Jul 29 2020, 3:08 AM · MediaWiki-extensions-Score
tstarling closed Restricted Task, a subtask of T257066: Extension:Score / Lilypond is disabled on all wikis, as Resolved.
Jul 29 2020, 2:35 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations

Jul 28 2020

tstarling added a comment to T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368).

Since there was no response from netblue30, I sent an email to Reiner Herrmann, as suggested by @Legoktm.

Jul 28 2020, 2:50 AM · MediaWiki-Shell, Upstream, Security, Security-Team

Jul 27 2020

tstarling triaged T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368) as Low priority.

We can leave this open for now to track the upstream issue.

Jul 27 2020, 11:42 PM · MediaWiki-Shell, Upstream, Security, Security-Team

Jul 24 2020

tstarling added a comment to T257066: Extension:Score / Lilypond is disabled on all wikis.

It will probably be re-enabled in safe mode early next week. Hopefully Monday my time (i.e. Sunday night US time). I don't know how long it will take to restore it in unsafe mode, probably another couple of weeks.

Jul 24 2020, 6:07 AM · User-notice, Patch-For-Review, Security-Team, Security, Wikimedia-General-or-Unknown, MediaWiki-extensions-Score, Operations
tstarling added a comment to T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368).

Proposed patch that checks every arg passed to FirejailCommand to ensure it doesn't start with --output.

Jul 24 2020, 2:48 AM · MediaWiki-Shell, Upstream, Security, Security-Team
tstarling added a project to T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368): Upstream.
Jul 24 2020, 12:46 AM · MediaWiki-Shell, Upstream, Security, Security-Team
tstarling created T258763: Vulnerabilities in firejail due to --output (CVE-2020-17367, CVE-2020-17368).
Jul 24 2020, 12:46 AM · MediaWiki-Shell, Upstream, Security, Security-Team

Jul 2 2020

tstarling created T256956: Clean up getCacheVaryCookies()/haveCacheVaryCookies().
Jul 2 2020, 10:51 AM · Platform Engineering Roadmap Decision Making, Performance-Team (Radar), MediaWiki-Authentication-and-authorization, Platform Engineering
tstarling added a comment to T256942: Stop SonarQube spam.

Excessive number of returns is really just an example. On https://gerrit.wikimedia.org/r/c/mediawiki/core/+/608993 SonarQube is putting 8 comments per patchset, of which 3 are about excessive returns. None are actual issues which require any action.

Jul 2 2020, 8:27 AM · Gerrit, Code-Health-Metrics, Sonarqubebot
tstarling added a comment to T256942: Stop SonarQube spam.

Thanks @kostajh. I think I'd rather not see any non-voting comment as an inline comment. For example, PHPCS failures as inline comments might be a useful feature. But if SonarQube is not voting then I don't want to see inline comments from it. I especially don't want to see them duplicated on every patchset. The problem is that inline comments need to be resolved before the patch can be accepted. Sorting through a mass of bot-generated comments to try to find the human ones that still need resolution is not a task I want to add to my workflow.

Jul 2 2020, 8:23 AM · Gerrit, Code-Health-Metrics, Sonarqubebot
tstarling updated subscribers of T256942: Stop SonarQube spam.

I'm not kidding about this, this is very annoying and the number of useful comments I have seen from it is exactly zero. I'll submit a revert for rLTSQcfa9ad30f4d9: Remove inline comment safelist if that is the cause of this.

Jul 2 2020, 7:44 AM · Gerrit, Code-Health-Metrics, Sonarqubebot
tstarling created T256942: Stop SonarQube spam.
Jul 2 2020, 7:00 AM · Gerrit, Code-Health-Metrics, Sonarqubebot
tstarling added a comment to T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.

Local login should continue to work regardless.

Jul 2 2020, 12:46 AM · MW-1.31-release-notes, MW-1.34-notes, User-RhinosF1, MW-1.35-notes (1.35.0-wmf.41; 2020-07-14), Patch-For-Review, MediaWiki-extensions-CentralAuth

Jul 1 2020

tstarling added a comment to T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.

There is the question of how much we really care about the incompatible browsers, since the recommended solution for them (sending two cookies) is quite intrusive. I ran some queries in Turnilo. As a percentage of non-bot page views in the latest day:

Jul 1 2020, 11:30 PM · MW-1.31-release-notes, MW-1.34-notes, User-RhinosF1, MW-1.35-notes (1.35.0-wmf.41; 2020-07-14), Patch-For-Review, MediaWiki-extensions-CentralAuth
tstarling added a comment to T252236: Prepare CentralAuth (e.g. login.wikimedia.org) for requirement of SameSite=None cross-site cookies in Chrome.

Testing on Firefox and Chromium shows that it is necessary to set SameSite=None on local session cookies in order for cross-site autologin to work. When a wiki is visited by a user who is logged in centrally but not locally, there is a four step process driven by redirects: central/checkLoggedIn -> local/createSession -> central/validateSession -> local/setCookies. Both browsers agree that a redirect from the central wiki to the local wiki is a cross-site request even though the top-level origin is the local wiki, so Lax cookies are not sent. Patching MW to make the local (and central) session cookies have SameSite=None causes autologin to work in both browsers.

Jul 1 2020, 10:41 AM · MW-1.31-release-notes, MW-1.34-notes, User-RhinosF1, MW-1.35-notes (1.35.0-wmf.41; 2020-07-14), Patch-For-Review, MediaWiki-extensions-CentralAuth