Jonathan,
I'm definitely open to working with debian to find a way to get you
early access. We've guessed that was something some distributions
would like, but I haven't worked with each distro to figure out their
needs yet. Thanks for bringing the subject up.
For the March 4th release, I get a CVSS score of 1.8 and 3.5 for the
non-public bugs (if you have another preferred webapp scoring system,
I'm happy to generate a score for you). Additionally, already publicly
in the release branches are patches to pass '2' to
CURLOPT_SSL_VERIFYHOST instead of 'true' for outbound curl
connections.
Hope that helps!
Chris
I’m considering this issue RC.
On Tue, 6 Aug 2013, Joerg Jaspert wrote:
> CSSMin.php is Apache 2.0 License
This is GPLv3+ compatible whereas the rest is GPLv2+ or compatible,
which means this should be not an issue, except for needing to
document that in debian/copyright. Please correct me if I’m wrong.
> IEContentAnalyzer is non-free actually. "It may be redistributed
> without restriction" is missing some things we require for main.
Right. Tim Starling, you claim copyright on that file. Can you
please confirm which DFSG-free Open Source™ licence(s) we can
use and distribute that file under?
> JavaScriptMinifier.php is Apache,MIT,GPL,LGPL - and so falls under
> GPL, but it wouldnt be bad to list the options it offers for users
> looking into the copyright file. While you modify it anyways. :)
>
> jsminplus is MPL1.1 or GPL or LGPL. Please list, for completness.
Aye. These weren’t an issue for the mediawiki package before the
split (which I still don’t agree with but will only passively
oppose).
I’ve got more:
IEUrlExtension.php does not have any licence at all. Is it safe
to assume it’s GPLv2+ as “all of the rest of MediaWiki”?
HttpStatus.php has no complaints ;-) it’s not code and certainly
not copyrightable.
I’ll be removing IEContentAnalyzer.php and IEUrlExtension.php
from MediaWiki in Debian within this month if I do not get
any positive feedback or a good reason to delay this.
bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm happy to announce the availability of the first stable release
of the new MediaWiki 1.21 release series.
MediaWiki 1.21 is a large release that contains many new features and
bug fixes. This is a summary of the major changes of interest to users.
You can consult the RELEASE-NOTES-1.21 file for the full list of changes
in this version.
Our thanks go to everyone who helped to improve MediaWiki by testing
the beta release and submitting bug reports.
== What's new? ==
MediaWiki 1.21 includes all changes released in the smaller, bi-weekly
"1.21wmfX" software deployments to Wikimedia sites.
=== Clearer email notifications ===
Bug 14901 ? Email notification mistakes log action for new page
creation, the third most reported open MediaWiki bug, has been
fixed. Consequently, notifications now state clearly what action was
performed on the watched pages in case they are created, deleted,
restored, moved or changed.
There are still some known issues. If you customised MediaWiki:Enotif
body on your wiki, you have to delete or update it; see also full
documentation.
=== Skin ===
The CologneBlue skin has been refactored to make it relevant again,
more compatible with existing scripts, and more similar in structure
to Vector and Monobook, reusing a lot of existing code.
The only major difference for end-users should be a slight reordering
of the sidebar menu (the "Context" submenu was removed and its
contents merged into other ones). If you were, however, depending on
the exact HTML it used to produce, you'll need to review your tools.
=== ContentHandler ===
As part of the Wikidata initiative, 1.21 adopts an extensible
framework ("ContentHandler") so that pages can contain something other
than wikitext.
Right now, built-in content types are limited to
wikitext - wikitext, as usual
javascript - user-provided JavaScript code
css - user-provided CSS code
text - plain text
Extension developers can create additional content
types. Extension:EventLogging uses ContentHandler to implement a
namespace for JSON schemas, and may be used as a reference. Other
extensions, such as Scribunto, also make use of the new functionality.
ContentHandler affects diff rendering, handing of CSS and JavaScript
pages, import/export, and the API.
=== Support for high DPI displays ===
MediaWiki now tries to deliver higher-res images to high pixel density
screens such as Apple Retina Displays (see gerrit change 24115 for
details). This is a work-in-progress, so normal-resolution images may
still appear in some places and in some browser
versions. Administrators may need to watch out for higher load on
their image scaling software.
=== Ajax patrolling ===
(bug 7851) The features users have waited for longest: one-click Ajax
patrolling. With this new feature, users can mark revisions or pages
as having been "patrolled" with a single click while staying on the
current page.
=== Internationalization ===
(bug 24156) The general logging framework was made completely
localisable at last. The logging for each action (whether in core or
extensions) might still need to be updated to use the new system,
though.
(bug 40367) MediaWiki:Contributions now reflects the gender of the
user.
=== New accounts ===
(bug 22457) It's now easier to create accounts for other users by
sending a temporary password via e-mail: Special:CreateAccount now
shows a checkbox for logged-in users to use this feature, rather than
a button.
Account API: bots and other scripts can now use the API to create user
accounts, rather than attempting to pseudo-submit the HTML form.
=== Account creation welcome ===
The MediaWiki:welcomecreation message was split up into
MediaWiki:welcomeuser and MediaWiki:welcomecreation-msg so users no
longer see "Login successful" when creating their accounts (bug
42215). If you customized the former message and want to preserve your
customization, you'll have to modify the new messages accordingly.
=== More wikitext now supported in JavaScript messages ===
The jqueryMsg parser now supports wikilinks and int: transclusion. For
more details, see Manual:Messages API.
=== Using semantic headings for the navigation menu ===
The previous scheme of using (varying per skin) <h4>, <h5> and/or <h6>
tags (with nothing apart from the main <h1> above them in the
hierarchy) was change to consistently using a <h2> above the entire
navigation and <h3>s as portlet headings in all skins.
The <h2> is hidden for normal browsers, but accessible for
screen-readers or text browsers.
While this change is minor, it might require similarly minor updates
in any customized CSS or JS (or in screen scrapers).
=== Extended collation support ===
UCA-based category collations for 68 languages based in Latin, Greek
and Cyrillic alphabets are now supported. You can use them by setting
$wgCategoryCollation = 'uca-<langcode>', where <langcode> is the
appropriate language code.
=== Bundled extensions ===
Newly bundled for 1.21 (bug 43815):
Cite
ImageMap
Interwiki
Title Blacklist
SpamBlacklist
Poem
InputBox
LocalisationUpdate
SyntaxHighlight GeSHi
Full release notes:
https://www.mediawiki.org/wiki/Release_notes/1.21
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0.tar.gz
Patch to previous version (1.20.0), without interface text:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0.patch.gz
GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0.tar.gz.s…http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0.patch.gz.sighttp://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0.patch.gz…
Public keys:
https://secure.wikimedia.org/keys.html
- --
http://hexmode.com/
Imagination does not breed insanity. Exactly what does breed insanity
is reason. Poets do not go mad; but chess-players do.
-- G.K. Chesterson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iD8DBQFRoNaqc17xCi38v/URAgClAJ9YnIT5CLqfbFolRyoG8W7UOF+l6QCfSu5H
p79h+WXqEqs9MgYl1t+ES94=
=shHJ
-----END PGP SIGNATURE-----
I have to delay the release of MediaWiki 1.21 again because of a
logistics problem.
I am used to hearing logistics in the context of shipping physical
objects -- in the American trucking industry, for example -- so I can't
help but feel a little strange saying "logistics". I had to go look up
the term and found this definition:
The detailed coordination of a complex operation involving many
people, facilities, or supplies.
That is about right.
I apologize for the confusion.
--
http://hexmode.com/
Imagination does not breed insanity. Exactly what does breed insanity
is reason. Poets do not go mad; but chess-players do.
-- G.K. Chesterson
This is RC4 for 1.21.0 due to be released on May 15, 2013. The
patches included since RC3 are after the download instructions.
While testing this release candidate, I discovered a bug in the
installer (Bug #47489) which I would like to get fixed before a final
release.
I've changed the list of bugs I would like to see fixed in the next
couple of weeks before release to 3 installer-only bugs:
https://bugzilla.wikimedia.org/buglist.cgi?bug_id=47489%2C46802%2C43817https://bugzilla.wikimedia.org/43817
Include short descriptions for extensions bundled in the release
https://bugzilla.wikimedia.org/46802
Enabling extensions during install process displays empty readonly
textbox on status page
https://bugzilla.wikimedia.org/47489
white screen after no db selection
I'll take a stab at these, but I appreciate any help you guys can give.
Full release notes:
https://www.mediawiki.org/wiki/Release_notes/1.21
**********************************************************************
Download:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0rc4.tar.gzhttp://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.tar.gz
Patch to previous version (1.20.0), without interface text:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.patch.gz
Interface text changes:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc4.patch…
GPG signatures:
http://download.wikimedia.org/mediawiki/1.21/mediawiki-core-1.21.0rc4.tar.g…http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.tar.gz.sighttp://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.0rc4.patch.gz.s…http://download.wikimedia.org/mediawiki/1.21/mediawiki-i18n-1.21.0rc4.patch…
Public keys:
https://secure.wikimedia.org/keys.html
Patches included since RC3:
commit 29d3243339f836ad13a722762e4b0f7056ee3764
Author: Brad Jorsch <bjorsch(a)wikimedia.org>
Date: Sun Mar 3 22:35:05 2013 -0500
Add parser method to call parser functions
There is currently no straightforward way for anything to call a
parser function and get the result. This abstracts out that portion
of braceSubstitution() to allow this.
The immediate motivation for this patch is to close bug 41769
against Scribunto, see I0138836654b0e34c5c23daaedcdf5d4f9d1c7ab2.
Bug: 41769
Change-Id: I339b882010dedd714e7965e25ad650ed8b8cd48f
commit c81f3673423021c92a8e08a207236b4d48b0bc46
Author: Timo Tijhof <ttijhof(a)wikimedia.org>
Date: Tue Mar 26 18:59:07 2013 +0100
mw.loader: Guard against odd setTimeout behaviour in old Firefox
Bug: 46575
Change-Id: I80af730daa815f0c273fe942c570d1f0144bbbb1
commit d43c43727c0273ab9a861b39a70609bfbe14a801
Author: PleaseStand <pleasestand(a)live.com>
Date: Wed Apr 17 13:49:50 2013 +0000
Revert "Remove link to Special:ActiveUsers from Special:Statistics"
Special:ActiveUsers still seems to be in REL1_21, and
there is a pending change set (Ib43b4205) to add back
the special page on the master branch.
This reverts commit 4b2c7373f2ab6f701cbd7f371ad4b95829e34e70
Change-Id: I5669477091ada36ea28c33de1232d2b7e9d0b413
commit c6528bb73b99de3ae6a5f3d8493e9dc8a1eb9120
Author: csteipp <csteipp(a)wikimedia.org>
Date: Mon Apr 15 13:42:02 2013 -0700
Sanitize $limitReport before outputting
Prevents possible injection of "-->" and other HTML by extensions
using the ParserLimitReport hook.
bug: 46084
Change-Id: Id97b6668da6df3e5e4c0acefffa00c82cac3c44a
(cherry picked from commit 69f96f65dd99e54b84e489e7d957b7526653474c)
commit 73f30041f2cf4f5cac08bb3b37a38fa80832bec3
Author: csteipp <csteipp(a)wikimedia.org>
Date: Mon Apr 15 13:44:23 2013 -0700
Disable external entities in XMLReader
Temporarily disable loading entities in XMLReader when calling
read() with libxml_disable_entity_loader(true).
bug: 46859
Change-Id: I0b2ef270f15c7b4da17edee680bf7e2410919915
(cherry picked from commit 1ed76385c31f44c589f6e5a99c9c56f1f3f76728)
commit 9c902fb78536566c3deb85cc1bfb033074520e22
Author: csteipp <csteipp(a)wikimedia.org>
Date: Mon Apr 15 13:47:10 2013 -0700
Disable external entities in Import
Temporarily disable loading entities in XMLReader when calling
read() during import.
(cherry picked from commit 77a8d576918b6a47b80a67a3653662a2d705d6c3)
bug: 47251
Change-Id: I0b39386e6cf4ec0244aab8ebc4095922511e2964
Hi,
I wonder if we could co-ordinate early disclosure of forthcoming security
fixes, such as that due on 4th March, to nominated contacts at the
various distributions. I speak only with a Debian hat, of course.
The problem I have currently is that I don't know what the content or
severity of these releases is in advance of the day, and so can't prepare
and test packages satisfactorily ahead of the release. I also can't
guarantee how much spare capacity I have around that time.
If we knew in advance what was coming up, we could prepare packages and
release them immediately after the upstream release. For Debian at least,
we already have the infrastructure to build and test in advance and then
just hit 'go' when the time comes.
This would also give us more time to prepare and test backports to
older versions, such as the 1.15 we currently have in stable and will
have for at least the next 12 months.
I would envisage such advance disclosures being embargoed and encrypted,
naturally.
Thanks,
--
Jonathan Wiltshire jmw(a)debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits