[01:14:40] <legoktm>	 !log library-upgrader moved a lot of old logs into /srv/data/archive/
[01:14:42] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Library-upgrader/SAL
[08:36:12] <xover>	 James_F: In re privacy policy and WMCS (cf. enws)… Am I missing something or are you saying essentially every Toolforge/WMCS-hosted gadget is in violation of the policy?
[08:45:53] <xover>	 What gets passed from the client's browser to Toolforge is the user's IP (because it's accessing the service at all), the project language, and the URL of the image to be processed.
[08:46:45] <xover>	 What gets passed from Toolforge to the Google Vision API is the __Toolforge__ instance's IP, and the URL of the image to OCR.
[08:47:45] <xover>	 I'm not seeing anything in there that would be a privacy policy issue that would not equally affect every Toolforge/WMCS-backed Gadget or user script on WMF wikis.
[09:10:58] <zhuyifei1999_>	 (tool maintainers won't even see the IP. urlproxy doesn't set XFF)
[09:11:43] <zhuyifei1999_>	 though, I remember someone claimed that the user agent is 'private'....
[09:39:38] <James_F>	 xover: Yes, transferring a reader's data to a third party (by making a request to a WMCS-hosted tool) is a violation of the privacy policy. You have to get their consent. Making a tool available by default bypasses the implicit consent when someone opts in to a tool.
[09:41:49] <James_F>	 xover: There's work underway to enforce this via a Content Security Policy, with production users having to manually consent (once) to sharing their data with WMCS before such loading will work.
[10:28:48] <gifti>	 there is a problem with my new instance, i have puppet role role::labs::lvm::srv enabled but it doesn't mount it and running puppet manually gives some errors, the instance is taxonbot-b.dwl
[10:30:34] <arturo>	 gifti: could you please share the error message?
[10:32:30] <gifti>	 https://phabricator.wikimedia.org/P9999
[10:37:57] <gifti>	 oh wait, i think now the image takes the whole disk space
[10:38:15] <arturo>	 too small image?
[10:38:40] <gifti>	 no, i think the role is now unnecessary
[11:10:10] <arturo>	 ok let me know if I can be of any help
[11:33:25] <arturo>	 !log tools reboot tools-k8s-control-3 to fix some stale NFS mount issues
[11:33:28] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[11:35:15] <xover>	 James_F: That has pretty darn big impact. Has this been widely communicated and I've just not been paying attention, or…?
[11:36:10] <xover>	 It also sounds pretty binary: are there any nuances in there regarding just exactly /what/ data gets shared?
[11:52:44] <James_F>	 xover: It's been this way for a decade.
[11:53:17] <James_F>	 xover: Yes. Any request is problematic because it conveys IP data and User Agent data (regardless of contents/use).
[11:58:25] <xover>	 James_F: Hmm. Ok, then what's changed that this is suddenly being enforced? Has WMF Legal made a new decree (triggered by GDPR or whatever), or is the ongoing work with CSP that suddenly makes it possible to enforce it technically?
[11:58:56] <James_F>	 The CSP work has been in the pipeline for years, but we're slowly getting there.
[11:59:37] <James_F>	 Enforcing this on a technical level is obviously going to be disruptive, so it won't just happen, there'll be announcements/etc. in Tech/News and other places.
[11:59:55] <James_F>	 (I'm not on the Security team, but I've been supporting their work on this.)
[12:00:22] <xover>	 Is the idea that the CSP work will provide some standard way to ask for and persist that consent?
[12:00:27] <James_F>	 Yes.
[12:00:43] <James_F>	 There was a proposal to make a trusted proxy inside the fence instead of asking for consent, but people felt it was too messy.
[12:00:45] <xover>	 (CSP is mostly just an acronym to me; I've not looked at the standard or the WMF work in in any kind of etail)
[12:00:53] * James_F nods.
[12:01:06] <James_F>	 Long-term we'll be locking things down more aggressively in general.
[12:01:32] <James_F>	 The big thing we want to avoid is e.g. remote loading of content in the reader context; we have alerts for this and go fix it, but we want it to be impossible straight-up.
[12:02:17] <xover>	 There was a recent discussion at enwp's Interface Admin noticeboard about cross-loading of scripts (libraries) between namespace on a single project, and between projects (e.g. HotCat loaded from Commons to enwp, or global scripts from meta to the local project).
[12:02:46] <James_F>	 Between projects is 'fine' from a privacy policy POV/
[12:02:49] <xover>	 (in the context of what's acceptable for a Gadget, vs. a normal user script)
[12:03:17] <James_F>	 I'd strongly recommend seriously thinking about security models, though. Do enwiki's IAs really trust the meta community to select IAs perfectly, etc.?
[12:03:36] <xover>	 Yeah, that was my comment in that thread too.
[12:04:04] <James_F>	 Generally, I don't use gadgets; if I want a feature badly enough, I'll work with other developers and we'll ship it in MediaWiki. ;-)
[12:04:06] <xover>	 Thread is https://en.wikipedia.org/wiki/Wikipedia:Interface_administrators%27_noticeboard#Gadgets_sourcing_user_scripts
[12:04:12] <xover>	 heh heh
[12:04:18] * James_F nods.
[12:04:54] <xover>	 But there's a big huge hole between what MediaWiki provides / WMF has resources to deliver, and what end users (incl. admins etc.) need or want.
[12:05:13] <James_F>	 Sure, and there always will be.
[12:05:26] <xover>	 Gadgets and an ecosystem around them is the only way I can see to sustainably fill that.
[12:05:37] <James_F>	 But every gadget is a failure, because people build the gadget and then move on, rather than use it as a testing ground to lobby for changes to the real system.
[12:06:12] <xover>	 And that means somehow enabling also hobbyist developers—with all the limitations that entails—to participate in the ecosystem.
[12:06:37] <James_F>	 Many do.
[12:06:55] <James_F>	 But fewer over the past few years, sadly.
[12:06:57] <xover>	 I think that's mainly because that gap is too big and the infrastructure not yet sufficient.
[12:07:22] <xover>	 There are limitations there that mean most software development practices don't really work for gadgets.
[12:07:38] <xover>	 Sharing libraries of code, i18n/l10n, unit testing, etc.
[12:08:02] <xover>	 (the historical baggage / technical debt doesn't help either, of course)
[12:09:21] <xover>	 My point is, with the lack of facilities for proper software development practices, and with hobbyist developers in the mix, requirements for stuff like asking for permission and persisting it is a pretty tall order; and raises the bar for participation in that ecosystem.
[12:09:44] <xover>	 Recruitment and retention trends being what they are, that sounds kinda scary to me.
[12:09:58] * James_F nods.
[12:12:49] <xover>	 Is phab:T28508 the central hub for the CSP work? And is Bawolff still the go-to person for that?
[12:12:50] <stashbot>	 T28508: Content Security Policy (CSP) - https://phabricator.wikimedia.org/T28508
[12:43:22] <arturo>	 !log admin icinga downtime cloudmetrics1001 for 128 hours
[12:43:24] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Admin/SAL
[12:52:09] <James_F>	 xover: Yes, and yes.
[17:10:04] <thcipriani>	 howdy all, just noticed some weirdness with labtestwiki as far as deployments/versions go, not sure of impact, but wanted to give you all a heads up to see if you had more info: https://phabricator.wikimedia.org/T241251
[17:17:24] <bd808>	 thcipriani: I think it got removed from the dsh group while things were broken on that host during reimaging. I'll ping a.ndrewbogott on the ticket for more context (he's in a far from home TZ right now)
[17:17:47] <thcipriani>	 bd808: ack, thanks
[17:17:59] <bd808>	 we should be able to pull the latest version there... I think
[17:18:36] <thcipriani>	 bold words for one of the last working days of the year :)
[17:18:59] <bd808>	 meh. its a staging/test site that nobody uses very much
[17:19:34] <thcipriani>	 ack
[17:20:19] <thcipriani>	 unrelatedly, but interestingly, while flailing at this ticket I learned that wikitech.org is owned by fandom.com
[17:20:32] <bd808>	 heh
[17:33:15] <bd808>	 thcipriani: its on wmf.11 now. We can sort out the dsh group stuff "soon"
[17:33:54] <thcipriani>	 cool, sounds good, thank you!
[20:53:29] <paladox>	 Hi, i'm getting this from a puppet-master:
[20:53:31] <paladox>	 Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, Failed to parse template puppetmaster/puppet-merge.erb:
[20:53:36] <paladox>	   Detail: undefined method `[]' for nil:NilClass
[20:53:37] <paladox>	  at /etc/puppet/modules/puppetmaster/manifests/scripts.pp:24:20 on node puppet-paladox.git.eqiad.wmflabs
[20:54:41] <paladox>	 Caused by https://github.com/wikimedia/puppet/commit/cadc0008caa1ab322ad5d97105bfc8a81137c249
[20:59:25] <paladox>	 Maybe bstorm_ or andrewbogott ^ ? :)
[21:00:52] <bstorm_>	 Looking around
[21:03:24] <bstorm_>	 fix is apparently on the way :)
[21:03:34] <paladox>	 thanks!
[21:23:29] <jeh>	 paladox: looks like it's fixed now, can you confirm?
[21:23:37] <paladox>	 jeh yup!
[21:23:40] <paladox>	 (it works!)
[22:28:06] <bd808>	 !log tools Re-enabled Puppet on tools-sgebastion-09. Reason for disable was "arturo raising systemd limits"
[22:28:09] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL