I am happy to announce the availability of the general release of MediaWiki 1.40!
This includes the security fixes announced in 1.35.11/1.38.7/1.39.4.
Tarballs have already been uploaded, and the git tag has been pushed.
Thanks to everyone who helped out with this release, especially thanks to those who tested out the release candidate and provided feedback, as well as the developers who worked hard to get several important fixes merged in time for the 1.40 final release. To see what's changed in 1.40, see the release notes below.
MediaWiki 1.40 is the second release of MediaWiki 'born' with PHP 8.0 and PHP 8.1 support included. We anticipate there may be some as-yet undiscovered bugs with PHP 8.x support, of which we'd love to hear reports so they can be fixed. We plan to back-port fixes to 1.39, 1.38 and 1.35 to the extent possible.
MediaWiki 1.40 is due to be supported until the end of June 2024.
As a reminder, 1.35 LTS is due to become end-of-life in November 2023, and 1.38 became end-of-life today, 30 June 2023.
=== Changes since MediaWiki 1.40.0-rc.0 === * Localisation updates. * (T330464) Work around argument corruption bug in XMLReader::open. * build: Updating mediawiki/mediawiki-phan-config to 0.12.1. * Fix frame and frameless rdfa depending on file existing. * (T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj. * (T334659) Handle thumb errors when !$enableLegacyMediaDOM. * A manualthumb that doesn't exist should be considered a thumb error. * (T313157) IndexPager: Also protect against $offset being 0. * (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
Open Bugs: [1] https://phabricator.wikimedia.org/project/board/6139/
Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.40-R...
********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.tar.gz https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.tar.gz https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.zip
Patch to previous version (1.40.0-rc.0): https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.gz https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.zip
GPG signatures: https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.zip.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.zip.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.gz.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html
I note that we have not yet updated https://www.mediawiki.org/wiki/MediaWiki_1.40
This is something that James Forrester tended to do, but I'm not sure if that still falls under their responsibilities. It's also something that is noticeable missing from the checklist: https://www.mediawiki.org/wiki/Release_checklist
DJ
On Fri, Jun 30, 2023 at 7:24 PM Sam Reed reedy@wikimedia.org wrote:
I am happy to announce the availability of the general release of MediaWiki 1.40!
This includes the security fixes announced in 1.35.11/1.38.7/1.39.4.
Tarballs have already been uploaded, and the git tag has been pushed.
Thanks to everyone who helped out with this release, especially thanks to those who tested out the release candidate and provided feedback, as well as the developers who worked hard to get several important fixes merged in time for the 1.40 final release. To see what's changed in 1.40, see the release notes below.
MediaWiki 1.40 is the second release of MediaWiki 'born' with PHP 8.0 and PHP 8.1 support included. We anticipate there may be some as-yet undiscovered bugs with PHP 8.x support, of which we'd love to hear reports so they can be fixed. We plan to back-port fixes to 1.39, 1.38 and 1.35 to the extent possible.
MediaWiki 1.40 is due to be supported until the end of June 2024.
As a reminder, 1.35 LTS is due to become end-of-life in November 2023, and 1.38 became end-of-life today, 30 June 2023.
=== Changes since MediaWiki 1.40.0-rc.0 ===
- Localisation updates.
- (T330464) Work around argument corruption bug in XMLReader::open.
- build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
- Fix frame and frameless rdfa depending on file existing.
- (T329214) Pass whether current rev of file exists to
Linker::makeBrokenImageLinkObj.
- (T334659) Handle thumb errors when !$enableLegacyMediaDOM.
- A manualthumb that doesn't exist should be considered a thumb error.
- (T313157) IndexPager: Also protect against $offset being 0.
- (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
Open Bugs: [1] https://phabricator.wikimedia.org/project/board/6139/
Bug report form: [2] https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?tags=MW-1.40-R...
Download: https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.tar.gz https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.zip
Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.tar.gz https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.zip
Patch to previous version (1.40.0-rc.0): https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.gz https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.zip
GPG signatures:
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.tar.gz.s... https://releases.wikimedia.org/mediawiki/1.40/mediawiki-core-1.40.0.zip.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.zip.sig https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.0.patch.zip.sig
Public keys: https://www.mediawiki.org/keys/keys.html _______________________________________________ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-leave@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
On Tue, 8 Aug 2023 at 08:02, Derk-Jan Hartman d.j.hartman+wmf_ml@gmail.com wrote:
I note that we have not yet updated https://www.mediawiki.org/wiki/MediaWiki_1.40
This is something that James Forrester tended to do, but I'm not sure if that still falls under their responsibilities. It's also something that is noticeable missing from the checklist: https://www.mediawiki.org/wiki/Release_checklist
The automated version announcement was updated in this edit https://www.mediawiki.org/w/index.php?diff=6010355&oldid=6010202&title=Module:Version by Reedy; the wikitext page was updated in this edit https://www.mediawiki.org/w/index.php?diff=6011609&oldid=5971839&title=MediaWiki_1.40 by Amousey.
If you mean that the page lacks an on-wiki fork of the release notes, I've never much done work on that side of the release process, leaving it to volunteers who think it's valuable. Personally, I think that writing those has always been a big time sink without a huge amount of value, and more likely to confuse than help; that's why they're not part of the release checklist.
More broadly, I'm hoping to transition the work I do mostly as a volunteer around MediaWiki releases to colleagues, who might want to take the opportunity to think about what's the best way of documenting these.
J. -- *James D. Forrester* (he/him http://pronoun.is/he or they/themself http://pronoun.is/they/.../themself) Wikimedia Foundation https://wikimediafoundation.org/
wikitech-l@lists.wikimedia.org