[16:18:29] found this in a test ticket on phab-01 https://en.wikipedia.org/wiki/Wikipedia:Please_do_not_bite_the_newcomers [16:25:44] WP:NOOB -- which itself says not to use wiki shorthand :) [16:29:14] found via another channel: https://taiga.io/# [16:29:26] looks slick and is FOSS [16:29:29] but :) [16:32:00] heh good luck to them [16:33:40] greg-g: Did you look at the stack behind it? ostgres, redis, rabbitmq, nodejs, nginx, python3, django, angular, circusd, gunicorn, celery, coffee-script, gulp, ... [16:33:54] It's a packager's nightmare [16:34:25] hah, no I didn't :) [16:35:53] ori emailed me about it last week right after we'd had a discussion about how monitoring tools tended to use all of the services that you could find in the heroku free tier [16:36:06] heh [16:37:13] greg-g: Hey do you have a link handy to the job description that I'm supposed to have a task done for today? If so pm please [16:39:26] yeppers [16:51:35] yeah one of the gifts that keeps on giving is the phab simple setup [16:51:45] to get from 0 to 1 at least that is [16:59:33] http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/ [17:00:22] yeah they tackled that over teh weekend I think [17:00:35] twentyafterfour: can you see if https://phabricator.wikimedia.org/ (fresh activity) [17:00:38] gives you an error in chrome [17:00:39] ff is fine [17:00:41] chrome is not [17:00:50] android chrome is not either [17:00:57] I think [17:01:21] Exception: Query "projects" is unknown to application search engine "PhabricatorFeedSearchEngine"! [17:01:28] yep same thing as me [17:01:38] what would make that work in ff and not chrome I wonder? [17:02:01] I don't know I'll lpoke at it and see if [17:02:06] if I can figure it out [17:02:17] k thanks that would be great [17:02:38] I am also not wild about that "fresh" default query on teh homepage, it seems to be behind for whatever reason [17:03:16] and adds more than it's value in load for ever user for every home page hit when it's not useful 99999% of the time I think [17:03:17] idk [17:09:03] twentyafterfour, chasemp: works for me in chrome. Maybe something with groups you belong to? [17:09:15] hmmmm, yes maybe [17:09:33] but if I logout it's still broken so maybe not [17:11:47] seems like it's just logged out state that triggers it? [17:12:35] I get it logged in too I think [17:12:40] on android at least I do [17:12:52] first noticed it on mobile last night as I use ff on desktop [17:13:35] happens to me in firefox logged out [17:13:50] looks like an upstream bug to me [17:14:44] I think yeah [17:14:46] weird one too [17:18:49] PhabricatorDashboardPanelTypeQuery [17:19:06] it looks for a saved query named projects and doesn't find it [17:33:56] is the query not available to certain classes of user then? [17:42:31] trying to figure that out [17:43:04] would help if we had the developer console turned on in production [17:55:09] if ($this->requireViewer()->isLoggedIn()) { [17:55:11] $names['projects'] = pht('Projects'); [17:55:13] } [17:59:37] it's because of this: [17:59:39] https://phabricator.wikimedia.org/dashboard/panel/edit/2/ [18:00:02] it uses the "projects" query which only works when you are logged in ... but the panel is set to public on the home page dashboard [18:01:25] chasemp: should we change that panel to logged in only so it won't try to show it to logged-out users? [18:01:38] I think reverse is better, remove that query [18:01:51] as there are notes for not logged in folks on the main page [18:09:02] yeah I didn't realize that it doesn't just ignore panels that the user can't see... the way view policies work on dashboard panels is a bit funky [18:09:21] it should just omit things the user can't view instead of throwing exceptions and error messages [18:10:03] yeah if 1 thing is not public [18:10:08] it hides whole thing [18:10:12] confused me as well [18:10:22] but I guess for display purposes it's the easiest from their end, etc [18:10:41] I moved that query to a non-default position so now at least the exception isn't front-and-center [19:46:39] chasemp: confirmed, logged out shows 'restricted mailing list' [19:46:50] and I don't see any restrictive policies on lists [19:47:23] twentyafterfour, re: the bugzilla vulnerability you posted [19:47:30] that doesn't affect us much does it? [19:47:59] I don't think so, it was kinda funny though [19:48:19] what do we grant per-domain? I haven't been able to work out what my "WMF-members" permission actually does [19:49:41] twentyafterfour: that's weird isn't it? [19:54:50] twentyafterfour: Krenair we're patched for it [19:55:04] re bz [19:55:18] right, but what could it have actually exposed on our instance? [19:59:44] I was told no [19:59:48] it wasn't a big deal either way [19:59:51] fwiw [20:00:32] * greg-g nods [20:00:51] twentyafterfour: btw, see email, we're scheming to have you pretend to apply for your job again ;) [20:01:05] boy can that be interpreted badly [20:01:25] twentyafterfour: your help on a new opening's tech task would be appreciated (there, better) [20:17:32] Krenair, twentyafterfour: [OT] that blogger of bugzilla-zero-day-exposes-zero-day-bugs got quite some stuff wrong. But yeah, we handled that over the weekend for WM BZ [20:17:50] Ok. What does WMF-members actually do? [20:17:57] Krenair, your "WMF-members" permissions are based on a regex whether your email address ends in @wikimedia.org [20:18:02] yes [20:18:08] and if it does, you automatically get editbugs and canconfirm permissions [20:18:17] because I got too lazy setting that manually for every new WMF person [20:18:21] but that's all. [20:18:44] considering that more than 50% of the WM BZ users do have editbugs there's nothing really really bad in our case that would have happened [20:18:52] (people who have editbugs could mass-close tickets etc) [20:18:59] Okay, so it was a no-op for my account. Not for all [20:19:33] Do we do any other domain whitelisting? WMDE perhaps? [20:19:40] yes WMDE. but that's it [20:19:55] they get the same? [20:20:07] they both get canconfirm and editbugs. [20:21:00] I set that up out of pure personal lazyness, obviously. [20:21:27] laziness is great [20:21:38] ...and regarding the Bugzilla security issue, the BZ upstream devs once did it right and CC'ed maintainers they knew on Thursday before going public on Monday. I wish they did that more often and in a more organized fashion... [20:22:31] (e.g. having an updated list of Bugzilla maintainers out there. Or some opt-in. They do have a mailing list from ages ago so that none of the current folks is aware of it - I once pointed it out to their surprise.) [20:23:08] I wonder if Phab upstream folks have thought of this. Like... security pre-announcements to a restricted bunch of Phab admins out there. [20:23:20] I wonder if we've thought of this. [20:23:36] oops. heh. dogfood, trye, now that you say. [20:23:52] I sometimes see Wikia folks getting CCed on Sec issues. But that's all I'm aware of. [20:24:08] * andre__ always forgets that Wikimedia also creates and distributes software [20:24:57] :P [20:25:31] Krenair: we do give heads up to some people [20:25:32] Krenair, the problem is trust, as usual on the interwebs. What if I said "Hey, I'm an admin of an important MediaWiki installation out there." but in reality I'm just an evil cracker? [20:25:51] Krenair: tips/suggestions definitely appreciated, I know chris and team are wanting to make it better [20:25:52] andre__, how does bugzilla handle this? [20:26:43] Krenair: In case of last Thursday, one of the upstream devs CCs a whole bunch of BZ maintainers of big installations on the Security ticket so they get access [20:27:00] looking at that CC list I also see people who are NOT BZ maintainers in their companies anymore though. [20:27:10] keeping up-to-date = not easy at all [20:27:11] Okay. How did they handle this problem you bring up? [20:27:41] Yeah. I know it's difficult enough even within WMF. [20:28:53] Krenair, in my case I think due to being active on IRC, the mailing list, and having talked to some upstream devs in person so they know my name, but I really don't know if there's some approach that I'd call "handling this problem" [20:29:12] * andre__ enjoys this conversation, it's an interesting topic [20:30:08] Okay, so they just ignore the issue? :p [20:30:41] Krenair, can you define "the issue" again? Because I'm not sure what exactly the problem is :) [20:30:44] * andre__ needs more beer [20:30:55] Krenair, the problem is trust, as usual on the interwebs. What if I said "Hey, I'm an admin of an important MediaWiki installation out there." but in reality I'm just an evil cracker? [20:31:03] ah, alright [20:31:17] I don't think there's a way to solve. So...: [20:31:37] There is an invitation-only mailing list for maintainers of bigger BZ installations out there [20:32:06] but that one is called bugzilla-survey@ and was/is meant for bigger changes where upstream devs want feedback [20:32:25] and it's not really used. I'm extremely sure that most upstream maintainers do not even know it exists [20:32:33] because of fluctuation among upstream devs/maints [20:33:00] I think that's what I'd see as an approach though - using that mailing list for pre-announcements. [20:33:21] but they don't do that. They were surprised when I pointed out the existence of that mailing list a few months ago [20:33:54] sure you could enforce auth via GPG keys or so, I guess. [20:34:12] because that's the tools we're left with in our broken internet. [20:52:55] chasemp, @flimport will assign/CC tasks previously assigned/cced in fab based on the email addresses of the user, right? [20:53:10] sort of [20:53:14] cc's yes [20:53:16] author setting yes [20:53:22] assigned -- only if the assignee is empty [20:53:28] I'm not overriding a more recent assignee [20:54:31] ... what? [20:55:17] Aren't you reproducing the entire history? [20:55:53] thanks chase [20:55:54] I don't understand the question, history of what? [20:56:27] Krenair: if the bz import happens THEN the assignee is changed THEN the original assignee finally signs up to Phab THEN it won't be reset [20:56:35] oh [20:56:38] yes^ [20:56:51] * greg-g highfives chasemp [20:57:21] Krenair, if fab tasks have changed assigned since the import, it makes total sense to leave the current assigned instead of bringing back the old ones [20:57:35] so if it's overwritten after initial migration, then the migration script won't pop up again and reset to the BZ version? [20:58:41] Krenair: there's only one migration [20:58:54] let's see :) [20:59:06] Krenair: it's the per-user-after-the-signup thing that won't reset the assignee if it's already changed [20:59:10] ah [20:59:15] qgil: true, "hopefully" there's only one migration [20:59:31] fab migration, rt migration, bugzilla migration [20:59:54] oh, I was only speaking, and the conversation was only really about, the BZ one :) [21:00:03] (I think) [21:00:09] it works the same for all :) [21:00:13] at least that is how I've done it thus far [21:00:27] I just wanted to make sure that Krenair gets it right [21:00:40] qgil: what you said is correct [21:00:56] and should probably go in teh wiki w/ that verbage [21:01:16] thanks qgil and greg-g :) [21:01:42] ok, I'm writing now the announcement of the registration open for everyone [21:03:59] :) [21:04:00] yay [21:05:22] thanks \o/ [21:24:31] andre__: btw, should we/you starting thinking about ways of marking "projects" as discontinued/dead in phab? ie: old extensions that are no longer maintained by anyone etc? Or is that too political? [21:25:17] technically, you can "archive" projects in Phab, just as you can "close for new bug entry" components or products in Bugzilla [21:25:30] socially... that's more complicated to agree how to define when a project is dead [21:25:44] I do like git activity statistics. [21:26:39] * greg-g nods [21:27:01] now getting automated git activity statistics in a readible format (number of authors in last 12m, bus factor) would be lovely. [21:27:08] I'm thinking right now about "PDFHandler" and how people will/do report bugs about PDF rendering there for obvious reasons [21:27:16] I once tried this with funny shell scripts in my previous life for Apache and GNOME repos [21:27:22] intsead of OCG/Collection [21:27:38] greg-g, we could rename that component or archive it at some point. [21:28:27] * greg-g nods [21:28:37] I leave the thinking on that up to you :) [21:36:46] should be easy to fix / work around if we run into that problem, I think [21:36:52] qgil: good announcment. short and sweet and next steps. [21:37:26] it feels good, isn't it!? [21:38:54] greg-g: in general and in the very long run I dream of a bug tracker querying once a week the code repository of the software project. [21:38:54] As one stupid example, that would allow funky things like displaying a banner when someone wants to file a ticket, "Low activity: 2 people have made 2 changes in the last 12 months. Don't expect your ticket to be looked at soon." [21:39:06] And forges like Phabricator will likely make this already way easier. [21:39:16] yeah [21:39:38] did Launchpad ever do anything like that? [21:39:40] you could do that now almost [21:39:47] there is already a "there are no reviewers for this" [21:39:54] or "all reviewers are on vacation" [21:40:01] greg-g, not that I am aware of, but I only use Launchpad maybe once every two months [21:40:02] same spot for "few reviewed tickets for the repo" logic [21:40:13] andre__: /me nods [21:40:17] yeah. that's lovely. I see the future that I dream of getting a bit closer. [21:41:02] There's a billion things I'd love to see in issue trackers. Maybe I should learn programming at some point. :) [21:41:35] e.g. direct feedback while creating a bug report - "You mentioned the word crash in the summary. Attaching a stacktrace will get your bug report fixed twice as fast" etc etc [21:41:56] I see academia prototype implementations, but noone trying to push that upstream [21:42:03] anyway, I'm very high level meta ranting offtopic :) [21:47:35] the problem is the places where there is money don't have the same feature needs as a FLOSS project accepting bug reports from anyone [21:48:04] in closed/internal only projects they have awesome things, but their users have a high level of domain-specific knowledge [21:52:06] burndown charts in phab-01! https://phab-01.wmflabs.org/burndown/view/12/ [21:52:17] well, chart (singular), but still :) [21:53:42] qgil: where do I look for more info/planning for that work? [21:53:50] (and to report feature requests) [21:54:35] greg-g, have you searched "burndown" in phabricator.wikimedia.org? [21:54:39] yes [21:54:39] greg-g: christopher from WMDE did the change [21:54:41] https://phabricator.wikimedia.org/T153 [21:54:47] those are just tracking bugs [21:54:48] it's only in labs for now [21:55:03] there's no "burndown" or whatever project [21:55:24] greg-g, you can propose one to Chris [21:55:39] although... [21:55:41] ok, so there's nothing right now? [21:55:48] do you really need one now? [21:55:58] T153 [21:56:05] that's all [21:56:28] I don't want a bug to comment on about the general thing, I want to be able to report either bugs or feature requests and make sure he sees them/can prioritize/triage/etc [21:56:39] greg-g, I'd recommend you to file subtasks for now, and/or to work on the description of T153, or draw the plan in a wiki page. [21:56:43] * greg-g nods [21:57:05] I'm not going to futz with their plan, I want to do low effort drive by contributions, that's all I have time for right now [21:57:41] time for yet another meeting! [21:58:27] yes, WMDE is the only one that will be directly screwed with their project management tools as soon as Bugzilla goes read-only, so I'm not planning to bother them at all with "structure" before they get their minimum requirements implemented [21:58:57] (or even after) :) [21:59:48] :) yeah [22:40:12] I just realized that now projects have an option "Lock project: Prevent members from leaving this project." [22:40:18] that is... interesting [22:40:36] YOU WROTE THIS S*** SO YOU'RE GONNA GET ALL THE MAILS [22:40:42] quick make a project called hotel california [22:40:43] :D [22:41:35] * qgil is very tempted to check the box in the Bugzilla-Migration project, as in NOBODY IS GOING ANYWHERE [22:42:03] bd808: if you end up using a kanban board of sorts with phab, do let me know how it goes / write up instructions / write up something :) [22:42:07] * YuviPanda is interested in trying as well [22:43:21] YuviPanda: will do. I guess I just have to wait until new project creation is open and beg for my own project to test it with. [22:43:29] * bd808 counts the days [22:43:31] bd808: you can test on phab-01! [22:44:13] YuviPanda: Well the real value will be doing it in the actual bug tracker. I already have a place where I can copy-paste to run a kanban board. [22:44:13] bd808: I can make you admin there if you'd like [22:44:18] hmmm [22:44:19] ok [22:46:00] yeah, getting the real bug backlog in phab will make it useful [23:44:35] Hi! Is it a known problem that links on https://phabricator.wikimedia.org/settings/panel/external/ for usernames containing spaces are wrongly encoded as "+" instead of "_"? [23:44:58] This breaks the link (which says the account does not exist on MediaWiki, while the version with "_" exists) [23:45:10] andre__: ^ [23:45:20] yes [23:45:48] do you have the task link ? [23:45:53] https://phabricator.wikimedia.org/T547 I guess [23:46:08] if that's not the one then it's not known [23:46:29] and your issue sounds slightly different now that I reread it [23:48:31] a ptwiki user just tested and got a link to https://www.mediawiki.org/w/index.php?title=User%3ADiego%2BQueiroz [23:48:45] instead of https://www.mediawiki.org/w/index.php?title=User%3ADiego_Queiroz [23:51:39] Helder: Is the link on the user page (eg https://phabricator.wikimedia.org/p/bd808/) correct? I see that the link in my settings panel is wrong, but in my profile it's right. [23:59:55] bd808: the link on https://phabricator.wikimedia.org/p/DiegoQueiroz/ is correct