On Tue, Sep 29, 2015 at 10:56 PM, Quim Gil qgil@wikimedia.org wrote:
Hi, let me try to help with the tools I have at hand, even if I understand that that is not the whole picture or the whole solution.
On Wed, Sep 30, 2015 at 6:07 AM, Kevin Gorman kgorman@gmail.com wrote:
what are apparently serious enough security problems (enough to call it a 'significant attack vector')
Are these problems reported as tasks in Phabricator? If so, please share the links here. If not, reporting them is the first step.
He was getting that from me. Yes, there are quite a few of them in Phabricator plus lingering concerns because of previous issues that would desire a more complete security review. I'm happy to share them with you offlist tomorrow (they are all under security bugs and I would rather not share them on a list this public).
I also just wanted to let people know that I'm still following this thread and will respond more fully tomorrow (I apologize for less response today then yesterday it's been a busy day with a couple fires to put out and I have to go to a late night meeting in a couple minutes). For a quick response to a couple of the previous emails however:
I don't have any magic powers to get resources (I don't have near enough myself :-/ for the amount of work people want me to do) but I definitely want to ensure that those using the extension continue to have options and I know that Floor and others do too, this is in no way desired to be a secret behind closed door decision on what to do in terms of fixes/replacements etc. We're putting in these temp fixes because we believe it's the best move right now (my understanding was that the likely hood of fixing the holes or getting a replacement very quickly was small) but it's certainly not the end of the discussion.
James Alexander Manager Trust & Safety Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
As I understand the situation, it may be that the interim fixes will be sufficient to get this risks patched to a level of security with which Chris feels comfortable with deploying the extension to more wikis and continuing to use it on ENWP while a long-term plan for fixes or system migration is developed.
I am hoping that Luis is involved in the review of this situation, because he is the one who is in the best position to make resource adjustments and/or ask for resource adjustments from Lila in order to address this situation.
Pine