Greetings-
With the security/maintenance release of MediaWiki 1.31.8/1.33.4/1.34.2
[0], we would also like to provide this supplementary announcement of
MediaWiki extensions and skins with now-public Phabricator tasks, security
patches and backports [1]:
== CentralAuth ==
+ (T250594, CVE-2020-12051) - globaluserinfo api allows access to
information about hidden users
<
https://gerrit.wikimedia.org/r/#/q/I3c80641dc1202df7428714f0ca44717a51ff6021
>
The Wikimedia Security Team recommends updating these extensions and/or
skins to the current master branch or relevant, supported release branch
[2] as soon as possible. Some of the referenced Phabricator tasks above
_may_ still be private. Unfortunately, when security issues are reported,
sometimes sensitive information is exposed and since Phabricator is
historical, we cannot make these tasks public without exposing this
sensitive information. If you have any additional questions or concerns
regarding this update, please feel free to contact security(a)wikimedia.org
or file a security task within Phabricator [3].
[0]
https://lists.wikimedia.org/pipermail/mediawiki-announce/2020-June/000252.h…
[1] https://phabricator.wikimedia.org/T248542
[2] https://www.mediawiki.org/wiki/Version_lifecycle
[3] https://www.mediawiki.org/wiki/Reporting_security_bugs
--
Scott Bassett
sbassett(a)wikimedia.org
📘 Read on Phabricator at
https://phabricator.wikimedia.org/phame/post/view/198/
-------
How’d we do in our strive for operational excellence last month? Read on to
find out!
## 📊 Month in numbers
* 5 documented incidents in May. [1]
* 28 new production error tasks filed in May. [2] [3]
* 68 recent production errors currently open (up from 61).
* 193 currently open Wikimedia-prod-error tasks (up from 178). [4]
For more about recent incidents and pending actionables see Wikitech and
Phabricator, at https://wikitech.wikimedia.org/wiki/Incident_documentation
and https://phabricator.wikimedia.org/project/view/4758
## 📉 Outstanding reports
Take a look at the workboard and look for tasks that could use your help.
→ https://phabricator.wikimedia.org/tag/wikimedia-production-error/
Breakdown of recent months:
* July 2019: One task closed, 7 of 18 tasks left. ⚠️
* August: 2 of 14 tasks left (unchanged).
* September: 7 of 12 tasks left (unchanged).
* October: 4 of 12 tasks left (unchanged).
* November: 4 of 5 tasks left (unchanged).
* December: 4 of 9 tasks left (unchanged).
* January 2020: 5 of 7 tasks left (unchanged).
* February: Two tasks closed, 4 of 7 tasks left. ⚠️
* March: 2 of 2 tasks left (unchanged).
* April: 14 of 14 tasks left (unchanged).
* May: 14 new tasks survived the month of May.
At the end of April the total of open production errors over recent months
was 61. Of those, 7 got closed, but with 14 new tasks from May still open,
the total has grown to 68.
The workboard had 178 open tasks in April, which saw a steep increase to
now 192 open tasks (this includes June 2020 so far, and pre-2019 tasks).
## 🎉 Thanks!
Thank you to everyone else who helped by reporting, investigating, or
resolving problems in Wikimedia production. Thanks!
Until next time,
– Timo Tijhof
-------
Footnotes:
[1] Incidents. –
https://wikitech.wikimedia.org/wiki/Incident_documentation#2020
[2] Tasks created. –
https://phabricator.wikimedia.org/maniphest/query/7Z4Us2BS02Uo/#R
[3] Tasks closed. –
https://phabricator.wikimedia.org/maniphest/query/FoIFMu5UO8pw/#R
[4] Open tasks. –
https://phabricator.wikimedia.org/maniphest/query/Fw3RdXt1Sdxp/#R
Hi,
for HTML version see https://www.mediawiki.org/wiki/Scrum_of_scrums/2020-06-24
Željko
--
= 2020-06-24 =
== Callouts ==
* SRE DBAs:
** m1-master failover, etherpad will have minor issues on Thursday Jun 25th
* Release Engineering
** [All] Review guidance at [[wikitech:Deployments/Covid-19]] and Code
Deployment Office Hour at 17:00UTC in #wikimedia-office
** Gerrit upgrade on Saturday, 27th of June
<https://lists.wikimedia.org/pipermail/wikitech-l/2020-June/093526.html>
** "scap sync" will be renamed to "scap sync-world" in the next
release. If you use "scap sync" non-interactively, please add a note
to: [[phab:T250302]] (and also, explain why you're using it)
** scap sync now has option --canary-wait-time; [[phab:T217924]]
== SoS Meeting Bookkeeping ==
* Updates:
** looking for somebody to facilitate on 2020-07-01
== Product ==
=== iOS native app ===
* Updates:
** Bug fix 6.6.1 to be released this week [[phab:project/view/4574]]
** Early development and research on new experiments for 6.7
[[phab:project/view/4661]]
=== Android native app ===
* Updates:
** Completed new user contribution screen, to be deployed to Beta this week.
** Design refresh of explore feed cards and the main screen.
=== Web ===
* Updates:
** '''Summary''': sidebar instrumentation and content width limiting
for Desktop Improvements Project (DIP), component baseline taskout for
Vue.js search.
** [[Reading/Web/Desktop_Improvements|Desktop Improvements Project
(Vector / DIP)]]:
*** [[phab:T255574|<nowiki>Watchlist star gone on Vector</nowiki>]]
*** [[phab:T237036|<nowiki>ext.uls.interface should set targets and
explicitly not target the Minerva skin</nowiki>]]
*** [[phab:T254546|<nowiki>Language portlet no longer at the bottom of
sidebar</nowiki>]]
*** [[phab:T253938|<nowiki>Future proof addPortletLink</nowiki>]]
*** [[phab:T250282|<nowiki>Build sidebar instrumentation</nowiki>]]
*** [[phab:T246419|<nowiki>Build collapsible sidebar and sidebar
button </nowiki>]]
*** [[phab:T60137|<nowiki>Deprecate the
SkinTemplateOutputPageBeforeExec hook</nowiki>]]
*** [[phab:T252774|<nowiki>Checkbox and mediawiki.toc.styles styles
should be merged into a single ResourceLoader module</nowiki>]]
*** [[phab:T251212|<nowiki>[Dev] Drop VectorTemplate usage in Vector</nowiki>]]
*** [[phab:T244392|Vue.js search case study]]:
**** See [[Reading/Web/Desktop Improvements/Vue.js case study/Status
log|weekly status updates]].
** Mobile website (MinervaNeue / MobileFrontend):
*** [[phab:T235712|<nowiki>Fix the most common "Module not loadable on
target mobile" warnings (Oct 2019)</nowiki>]]
*** [[phab:T255630|<nowiki>Sorry toast doesn't show for mobile editor
on pages you can't edit (Uncaught TypeError: m.show is not a function,
Uncaught TypeError: Cannot read property 'show' of
undefined)</nowiki>]]
*** [[phab:T240622|<nowiki>[Technical debt payoff] Remove
InlineDiffFormatter and InlineDifferenceEngine from
MobileFrontend</nowiki>]]
** Standardization
*** [[phab:T255717|<nowiki>Scope and use of mediawiki.skinning's
'elements.less' file</nowiki>]]
*** [[phab:T255229|<nowiki>Align mediawiki.ui/variables.less variables
to CSS variable naming scheme</nowiki>]]
*** [[phab:T255225|<nowiki>Replace non-standard color palette .new
color with Red50 `#d33`</nowiki>]]
*** [[phab:T66477|<nowiki>Vector: Use semantic HTML5 elements where
applicable</nowiki>]]
** Miscellaneous
*** [[phab:T255814|<nowiki>Latest version of SkinBlueSpiceCalumma is
not compatible with current version of Chameleon</nowiki>]]
*** [[phab:T255299|<nowiki>Some images appear when Show Images is
disabled</nowiki>]]
*** [[phab:T253045|<nowiki>TypeError: self.hide is not a function. (In
'self.hide()', 'self.hide' is undefined)</nowiki>]]
=== Structured Data ===
* Updates:
** mediasearch design work, vue prototype work and backend changes
== Technology ==
=== Fundraising Tech ===
* Updates:
** More work on employer matching gifts: [[phab:T249924]], [[phab:T251201]]
** CentralNotice subnational targeting and banner templates going out
on train this week [[phab:T255476]]
** Improving efficiency of data export to bulk mail provider [[phab:T253152]]
** Tweaking config of card entry forms to avoid confusion [[phab:T254032]]
** Monitoring converted recurring donations now that a month has
passed, ready to convert the rest from our main card processor's old
API to their new API [[phab:T256181]]
** Adding a redirect feature to hide banners now that many browsers
don't allow pixels to set cookies: [[phab:T251780]]
=== Engineering Productivity ===
==== Release Engineering ====
* Updates:
** scap sync now has option --canary-wait-time; [[phab:T217924]]
** [All] Deployments/Covid-19 [[wikitech:Deployments/Covid-19]]
** Train Health
*** Last week: 1.35.0-wmf.37 - [[phab:T254174]]
*** This week: 1.35.0-wmf.38 - [[phab:T254175]]
*** Next week: 1.35.0-wmf.39 - [[phab:T254176]]
=== Site Reliability Engineering ===
* Updates:
** Working on actionables for the sessionstore incident
** m1-master failover, etherpad will have minor issues on Thursday Jun 25th
** Working on moving switching proton traffic to kubernetes
As per the MediaWiki version lifecycle [1], I would like to announce the
formal end of life (EOL) of MediaWiki 1.33 as of next week, Tuesday June
30, 2020.
This means that MediaWiki 1.33 will no longer receive maintenance or
security backports (barring an unforseen issues with the 1.33.4 release
today). It is therefore strongly discouraged that you continue to use it.
It is recommended to upgrade to MediaWiki 1.34 (due to become EOL in
November 2020). The current Long Term Support (LTS) version of MediaWiki,
MediaWiki 1.31, is however older (and downgrading is not supported. The
delayed next LTS (MediaWiki 1.35) is currently due to be released in early
August 2020, and will be supported until at least June 2023.
MediaWiki 1.34 bumps the required PHP version from 7.0 in 1.33 (which is
unsupported upstream), to PHP 7.2.9 or later.
Thanks!
Sam Reed
[1] https://www.mediawiki.org/wiki/Version_lifecycle
// sorry for cross-posting
Hello,
A lot of heated discussion occur on talk pages – thus, edit conflicts
happen on talk pages a lot. To be able to solve these more effectively, the
Technical Wishes team at Wikimedia Germany is designing an additional user
interface for this situation. This interface is shown to you when you write
on a discussion page and another person writes a discussion post in the
same line and saves it before you do. With this additional editing conflict
interface you can adjust the order of the comments and edit your comment.
If you'd like to know more about this feature, please visit the project
page [1].
This interface is created as a result of the Technical Wishes survey [2] in
2015, in which the German Wikipedia community wished for a simpler way to
resolve edit conflicts. For regular edit conflicts on article pages, the two
column conflict user interface was created, which has been available as a
beta feature since November 2018. The plan is to make this additional
interface for talk pages available in a few months.
We are inviting everyone to have a look at the planned feature and let us
know what you think on our central feedback page [3]! -- For the Technical
Wishes Team: Max Klemm
[1]
https://meta.wikimedia.org/wiki/WMDE_Technical_Wishes/Edit_Conflicts#Edit_c…
[2]
https://de.wikipedia.org/wiki/Wikipedia:Umfragen/Technische_W%C3%BCnsche_20…
[3] https://www.mediawiki.org/wiki/Help_talk:Two_Column_Edit_Conflict_View
--
Max Klemm
Working Student Community Communication for Technical Wishes
Wikimedia Deutschland e. V. | Tempelhofer Ufer 23-24 | 10963 Berlin
Phone: +49 (0)30 219 158 26-0https://wikimedia.de
Imagine a world in which every single human being can freely share in
the sum of all knowledge. Help us to achieve our
vision!https://spenden.wikimedia.de
Wikimedia Deutschland – Gesellschaft zur Förderung Freien Wissens e.
V. Eingetragen im Vereinsregister des Amtsgerichts
Berlin-Charlottenburg unter der Nummer 23855 B. Als gemeinnützig
anerkannt durch das Finanzamt für Körperschaften I Berlin,
Steuernummer 27/029/42207.
Apologies for cross-posting
Over the last year, the DBpedia core team has consolidated great amount
of technology around DBpedia. This tutorial is targeted for developers
(in particular of DBpedia Chapters) that wish to learn how to replicate
local infrastructure such as loading and hosting an own SPARQL endpoint.
A core focus will also be the new DBpedia Stack, which contains several
dockerized applications that are automatically loading data from the
databus. The tutorial will cover the following topics:
- Using Databus collections (Download)
- Creating customized Databus collections
- Uploading data to the Databus
- Using collections in Databus-ready Docker applications
- Creating dockerized applications for the DBpedia Stack
The first tutorial will be held on July 1st, 2020 at 9:00-10:00 am
CEST.The tutorial will be repeated once more at a later time.
# Quick Facts
- Web URL:https://wiki.dbpedia.org/tutorials/1st-dbpedia-stack-tutorial
- When: July 1st, 2020 9:00-10:00 am CEST
- Where: The tutorial will be organized online. Registration is required
though.
- Databus: https://databus.dbpedia.org/
# Registration
Attending the DBpedia Stack tutorial is free. Registration is required
though. After the registration for the event, you will receive an email
with more instructions. Please register here to be part of the meeting:
https://docs.google.com/forms/d/e/1FAIpQLSfI3x5YE6bYmxTM57001MBfy5_1EjyjUV5…
# Program
- Please check the schedule for the upcoming DBpedia Stack Tutorial
here: https://wiki.dbpedia.org/tutorials/1st-dbpedia-stack-tutorial
# Organisation
- Milan Dojchinovski, AKSW/KILT, DBpedia Association
- Jan Forberg, AKSW/KILT, DBpedia Association
- Sebastian Hellmann, AKSW/KILT, DBpedia Association
We are looking forward to meeting you online!
With kind regards,
The DBpedia Team
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki.
The new releases will be:
- 1.34.2
- 1.33.4
- 1.31.8
This will resolve one minor issue in MediaWiki core, and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.
We've noted that these issues are minor, and as such you don't need to
apply them as quickly as with other security releases, if you're unable to
do so. We therefore decided to continue with getting the security (and
maintenance) release out for this quarter as planned, even with the global
situation as is.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
As per the MediaWiki Version lifecycle [1], June 2020 is the scheduled EOL
date for the REL1_33. 1.33.4 will therefore be the final release of the
MediaWiki 1.33 branch, barring any unforeseen issues.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Thanks!
Sam
Hello,
We will be switching over m1 database primary master (
https://phabricator.wikimedia.org/T254556#6247415) , which holds the
etherpad database.
This means that on Thursday 25th at 08:00AM UTC Etherpad will be on
read-only for a few seconds.
Communication will happen on #wikimedia-operations IRC channel.
Sorry for the inconveniences.
Manuel.