[00:24:54] gn8 folks [01:11:15] mwalker: ping [01:23:19] ori-l: pong [01:23:40] mwalker: filling out a bugzilla bug, sec [01:23:53] but the short of it is: did you ever figure out the namespace weirdness on testwiki? [01:24:07] because I just ran into the same exact issue on test2wiki (namespace registered by hook not fully registering) [01:24:18] and worked around it the exact same way you did (explicitly declared it in the configs) [01:24:20] oh ya -- extensions should use the canonical_namespaces hook [01:24:28] I do. [01:24:33] It works wonderfully on metawiki. [01:24:37] It doesn't on test2wiki. [01:24:56] I'm referring to the changes you made in this patch: https://gerrit.wikimedia.org/r/#/c/46647/ [01:25:41] right -- so that was because I was originally adding the namespaces via the $wgExtensionFunctions[] hook system [01:25:47] which happened too late [01:26:00] but, CanonicalNamespaces should always happen at the right time [01:26:38] Hrm. [01:27:23] I will say that I'm adding my namespace to both the $namespaces param in that hook; and then to all the other fun arrays [01:27:35] but -- I haven't tested this on test2 [01:27:49] only test [01:28:51] Hrm, so this may be unrelated. [01:29:15] Very confusing. Do you mind if I copy-paste some of your comments into the bug report? I want to be comprehensive but I'm passing out from exhaustion. [01:29:23] go for it [01:29:26] Thanks. [05:25:31] ori-l: spagewmf: Danny_B wants some clicktracking [05:25:39] Danny_B: what do you want? [05:26:35] jeremyb_: I call your ClickTracking and raise you stdout and stderr merging and redirection in one: instead of '2>&1 >', just '&>'. [05:26:53] ori-l: i knew that :) [05:27:19] nuh-uh! https://gerrit.wikimedia.org/r/#/c/49200/ [05:27:54] Danny_B: you want clicks? I got clicks. [05:27:56] * ori-l clicks. [05:28:42] ori-l: but you got it backwards. it's '> 2>&1' == '&>'. not the same as '2>&1 >' [05:29:07] * ori-l squints. [05:29:28] Other way around, I think. [05:29:45] no. otherwise my command would have had no output [05:30:00] but you can clearly see in your link that there was output [05:30:20] god damn it. [05:30:24] you're right. [05:30:34] :-) :-) [05:30:35] * ori-l throws his chips at jeremyb_. [05:31:19] btw, does this look right? יום הולדת שמח‎!‎ [05:31:56] do you want to review the thing you linked? :) [05:33:09] are you kidding? ops doesn't trust me further than they can throw me [05:33:14] I can't +2 in puppet [05:33:24] you can +1 [05:33:53] Well, OK. [05:33:55] * ori-l looks. [05:34:45] this came up because of HTTPS Everywhere btw. may help to read the ticket [05:37:32] ticket schmicket [05:38:47] This file uses the 'NameVirtualHost'. I'm reading the docs and it sounds like it could potentially help you avoid duplicating configurations. [05:39:30] But I need to read a bit more, I think. [05:40:47] also, re: the above, it's correct, but not my birthday [05:40:56] hahaha, yeah [05:41:00] it's harej's birthday [05:41:33] but it comes out really weird on my end [05:47:06] Apache docs designed to confuse and hypnotize: "With the NameVirtualHost directive you specify the IP address on which the server will receive requests for the name-based virtual hosts. This will usually be the address to which your name-based virtual host names resolve." [05:48:07] At no point while while reading that sentence do I feel confused, but by the end of it I'm not sure what I read. [05:51:36] Heh: http://bec-systems.com/site/528/apache-and-how-to-correctly-use-namevirtualhost [05:51:52] Comment: 'Whenever I read through the Apache docs, my eyes go into a spiral' [05:52:45] ori-l: so, where my patch has *, you could have an IP address instead of * [05:52:55] (or a hostname) [05:54:04] well, what do you make of this? http://www.centos.org/docs/4/4.5/Reference_Guide/s2-apache-namevirtualhost.html [05:54:10] "Name-based virtual hosts only work with non-secure HTTP connections. If using virtual hosts with a secure server, use IP address-based virtual hosts instead." [05:54:28] errr [05:55:01] Is a wildcard a host or an IP? [05:55:03] * ori-l cries. [05:55:23] maybe that's just really old? [05:55:34] ok! +2, merged. [05:55:56] But seriously: I don't know. Let me read the ticlet. [05:56:01] * ticket [05:56:25] * jeremyb_ thinks SNI, or in our case wildcard. you have to support name based virtual hosts [05:56:29] i think [05:57:35] wow, there's a lot of new parts of gerrit that i haven't explored yet [05:59:13] hah, i was going to look at the main cluster apache conf to compare to [05:59:20] but of course we don't have HTTPS there at all [05:59:24] (it's all in nginx) [05:59:46] Well, you are consistent with the pattern established in that particular file [06:02:46] Ok, this is a fairly clear explanation: http://httpd.apache.org/docs/2.2/vhosts/name-based.html [06:02:51] And I think you're correct [06:07:07] ok, I think I get it now. Re: the security issue raised above, see the first two paragraphs here: http://wiki.apache.org/httpd/NameBasedSSLVHosts [06:09:39] So, help me pinpoint which of the scenarios applies [06:11:28] I think it's: [06:11:55] "In reality, Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host [...] this will work if [...] all the VirtualHosts are within the same domain, eg: one.example.com and two.example.com." [06:12:46] So I think the SSLCertificateFile and SSLCertificateKeyFile directives you added will be ignored [06:13:46] that's maybe still wrong. e.g. for SNI. but i've never used SNI so idk [06:13:52] * jeremyb_ clicks the link [06:15:20] If I understand this correctly, several of the configurations in this file (not just your change) are effectively useless [06:15:28] right [06:15:34] well, no [06:15:42] just the SSL options are useless [06:15:46] the rest is used [06:15:58] right [06:16:03] lines 56 and 57, for example [06:17:11] yeah, kinda funny that the secondary domain name block is where it's taken from and the main name for the server is ignored [06:17:15] but they're identical [06:17:28] (assuming the link you gave is right which it probably is) [06:17:49] right, I think the actual behavior happens to be correct, but it's despite of the configuration rather than because of it [06:18:08] at least there isn't the kind of causal relationship between configuration and behavior that someone reading this file might expect [06:18:21] anyway, we need to get someone to test it out and verify it works right or not [06:18:35] well, if we're right, it'll work "right" [06:18:55] but this file would still be a little wtf [06:21:31] basically what happens is this, right: [06:22:03] client sends ClientHello [06:22:12] server has to respond with with certificate [06:22:18] but server does not know what host name client is requesting [06:22:29] so server uses the first one that matches [06:22:57] in this case line 45 [06:23:00] Just noting for the logs that wikitech wiki had weird sidebar cache earlier today. [06:23:16] Purging MediaWiki:Sidebar (and then purging individual pages) seems to have fixed it. [06:25:16] Susan: If your nice to Tim-away he might update WT to the current stable version [06:25:37] I'm always nice. [06:25:42] And he updated it fairly recently. [06:25:46] [Citation Needed] [06:25:52] The sidebar cache was bizarre. It reverted to the default system message. [06:26:08] So there were links to community portal, etc., rather than links to server admin log, etc. [06:26:23] 1.19.2 is what its running .3 is current sec rel and 1.20.2 is current stable [06:26:49] jeremyb_: where I get a little confused is here: once the handshake completes (successfully), if the requested server name does not have the directives indicating the certificate and key file, does it matter? [06:27:16] I'm not sure, but I think the answer is "no", meaning that if you were to take these lines out everything would work exactly the same and be less confusing. [06:27:50] maybe... the existing blocks choose to be redundant and more redundancy definitely won't hurt [06:29:08] Well, come on: if I said "redundancy doesn't hurt, so copy and paste the SSLCertificateFile directive five times" [06:29:25] You'd reply, "don't be an idiot, it won't do anything more than having it once." [06:30:10] how do you know? :) [06:30:24] some form of bash magic involving pipes and redirection [06:30:46] I think it's important to have the server's behavior match the story that is told by the configuration file, and that's not currently the case. [06:31:13] * jeremyb_ learned a new word yesterday: zug (zoog?) == pair [06:31:49] ori-l: they all really do use the same key. both in config and in reality [06:32:08] yes, but not the same directives [06:32:10] (and cert) [06:32:36] I think I'm right and I think you know it too :P [06:32:49] i really don't know. it might not work [06:33:02] the most important piece is SSLEngine On [06:33:18] at minimum there should be a comment saying "These directives are voodoo: they are never acted upon, but they need to be there for Apache not to freak out." [06:33:28] but my hunch is that they are not actually required. [06:33:55] in which case they should be removed, and a comment explaining this behavior should be put in their place. [06:39:38] i'm trying to decide which way i prefer [06:40:05] but in any case it needs testing [06:41:00] the example on your most recent link doesn't have one the way you want. it does have the redundancy [06:41:09] 15 06:07:07 < ori-l> ok, I think I get it now. Re: the security issue raised above, see the first two paragraphs here: http://wiki.apache.org/httpd/NameBasedSSLVHosts [06:41:12] that link [06:50:55] ori-l: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck is interesting [06:52:09] hey tip [06:54:09] Hello. [06:57:29] Hi Tiptoey [06:57:32] Tiptoety* [06:57:33] you wrote me an essay [06:57:45] I -1'd because I think there is no way this doesn't (at minimum) deserve a comment [06:57:52] i think i read most of it in the channel already though :) [06:57:53] and a test to verify the assumptions are correct [06:58:02] Hi Jasper_Deng. [06:58:06] but it's a good patch otherwise, and I'm glad you work on that kind of stuff. [06:58:16] jeremyb_: Essay? [06:58:20] right, but that's true for the current incarnation as well :) [06:58:24] Tiptoety: ori-l wrote it [06:58:30] * Tiptoety nods [06:58:34] That makes more sense. [06:58:46] 15 06:55:51 <+gerrit-wm> New review: Ori.livneh; "Patch Set 2: Code-Review-1" [operations/puppet] (production) C: -1; - https://gerrit.wikimedia.org/r/49200 [06:59:12] ori-l: well i was just exploring RT a little [06:59:26] and jumping around from BZ to RT and back [06:59:40] oh, you finally got RT access. congrats. [07:00:17] (that sounded sarcastic but wasn't.) [07:00:38] well *I* had some idea, we've discussed it before :) [07:01:46] remind me [07:01:46] anyway, thanks. thought about telling you. i guess i forgot [07:13:20] [640c60c4] 2013-02-15 07:13:09: Fatal exception of type MWException [07:13:29] when posting a message on talk, mw.o [07:13:46] i'll look [07:13:58] diff got saved: https://www.mediawiki.org/w/index.php?title=User_talk%3APeteforsyth&diff=646726&oldid=505852 [07:15:43] Echo [07:15:51] Let me see if I can fix [07:20:56] https://www.mediawiki.org/wiki/Feature_map [07:20:59] That page is new to me. [07:22:20] Split from the White Paper®, it seems. [20:54:29] AaronSchulz: would it be OK to use the redis driver you integrated into core to power an extension? Specifically, the extension would read a redis and update a redis sortedset of up to a 1000 integer article IDs, each with an integer score (unix timestamp, likely). [20:55:35] This is for presenting new users with tasks, initially only on enwiki, so redis will only be accessed about 3,000 - 4,000 times a day, because that's the typical number of new accounts / day. [20:56:03] Are we going to step on your toes or complicate your life in any way by doing that? [21:33:45] MatmaRex: I should probably explain https://gerrit.wikimedia.org/r/#/c/49350 ... [21:35:26] kaldari: if you promise this doesn't break the stuff that works now, i don't even want to hear it. :P [21:35:44] It shouldn't break anything [21:35:59] kaldari: the recent bugs caused a few widely-used gadgets on pl.wikipedia to save error messages into wikitext and edit summaries [21:36:15] and a few others to display visible errors in various places [21:36:50] the categorytree trees on cateogry pages were borked as well [21:37:14] I think some of that was caused by change Ifbeae7e9, which caused lots of extension bugs as well [21:37:55] This revert is basically just a temporary reprieve from disallowing HTML in JS i18n messages so that I can fix some extensions that rely on that behavior [21:38:10] alright, makes sense [21:38:39] and i realized what is actually being reverted now [21:38:40] the revert will be reverted itself in 2 weeks, going back to the more restrictive behavior implemented at the beginning of Feb in change Ifbeae7e9 [21:39:15] this is just to allow for some breathing room to fix many of the resulting bugs [21:39:36] yeah. thanks for the explanation [21:39:40] i just +1'd ;) [21:39:43] thanks! [21:41:15] ori-l: you mean that pool thing? [21:47:00] hi [21:48:39] here www.mediawiki.org/w/index.php?title=Special:Translate&group=agg-Help%3ANarayam&language=uk i see that there are 47 untranslated massages at Help:Narayam but when i'm clicking a link i see that there is no untenslated massages ( http://www.mediawiki.org/w/index.php?title=Special:Translate&group=agg-Help%3ANarayam&language=uk ) where is the truth ? [21:48:46] *messages [21:49:18] *untranslated [21:51:55] Base-w: maybe you're looking for #mediawiki-i18n [21:52:55] Base-w: ?