[14:08:16] 3Phabricator: Goal: The majority of WMF developer teams and sprints have moved to Phabricator - https://phabricator.wikimedia.org/T825#954984 (10Gilles) [14:08:19] 3Multimedia, Phabricator: Migration of Multimedia to Phabricator - https://phabricator.wikimedia.org/T827#954982 (10Gilles) 5Open>3Resolved >>! In T827#939093, @Qgil wrote: > Is there anything else left to migrate here? Nope, we're done! [14:16:31] 3ops-core, operations, Phabricator: Sanitise a Bugzilla database dump - https://phabricator.wikimedia.org/T85141#954999 (10Dzahn) [14:19:23] 3ops-core, operations, Phabricator: Sanitise a Bugzilla database dump - https://phabricator.wikimedia.org/T85141#955003 (10Dzahn) now that we can write: Deleting product 'Security'... Deleting 0 bugs in security groups... Done DBD::mysql::db selectcol_arrayref failed: Table 'bugzilla.longdescs_tags'... [14:19:47] andre__: next attempt to use sanitizeme.pl: [14:19:58] Table 'bugzilla.longdescs_tags' doesn't exist hrmmm [14:20:22] and once again we would need a db schema which doesnt exist [14:27:54] 3§ Phabricator-Sprint-Extension, Phabricator: Create a continuous integration plan for Wikimedia Phabricator patches - https://phabricator.wikimedia.org/T85123#955026 (10Christopher) I would like to deploy the latest version of Sprint 0.6.2.7 to production. I have been proactive in implementing fixes in order t... [14:41:19] 3ops-core, operations, Phabricator: Sanitise a Bugzilla database dump - https://phabricator.wikimedia.org/T85141#955057 (10Dzahn) it's from: ``` sub delete_deleted_comments { # Delete all comments tagged as 'deleted' my $comment_ids = $dbh->selectcol_arrayref("SELECT comment_id FROM longdescs_tags WHER... [14:57:33] 3ops-core, operations, Phabricator: Sanitise a Bugzilla database dump - https://phabricator.wikimedia.org/T85141#955075 (10Dzahn) our version: 4.4.5 - script says "Last validated against Bugzilla version 4.0" ---- 06:52 -!- Irssi: Join to #bugzilla was synced in 0 secs 06:55 < mutante> hi. i'm trying to use "s... [15:09:44] mutante, yeah, personal tags were changed between 4.2 and 4.4 [15:12:52] mutante, on the other hand, https://bugzilla.mozilla.org/show_bug.cgi?id=616185 is marked as resolved for 4.2 already. hmm. [15:15:05] mutante: ah, so probably the other way round - sanitizeme.pl was probably never tested with 4.2 :) [15:31:34] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955130 (10Qgil) The change was merged and I'm trying to test it, but I can't find a user that has introduced a MediaWiki username different than their Wikimedia Phabricatoir username or 'also known as'... Help! [15:41:55] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955163 (10chasemp) I _think_ we need to reindex for this, but there are some things incoming that require it as well and so I haven't done it yet (assuming very resource intensive) [16:15:27] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955288 (10chasemp) >>! In T85706#952759, @JohnLewis wrote: > Following more or less what https://wikitech.wikimedia.org/wiki/Password_reset/Confirming_identities describes seem a f... [16:33:22] 3Phabricator.org, § Phabricator-Sprint-Extension, Phabricator: Restricting modification of tasks when they enter sprints - https://phabricator.wikimedia.org/T819#955342 (10Christopher) Right. The discussion here https://secure.phabricator.com/T5204 references the idea of restricting the moving of cards on a wor... [16:38:28] chasemp: do you still want to try deploying the security extension & friends today? [16:39:11] yep, I have a few meetings here coming up, I was going to run through it again in a minute and then do it after [16:39:11] I think it's all staged in gerrit? [16:39:56] yep [16:40:12] I'll drop you a note when I merge things? [16:40:16] ok [16:40:17] and we can start keeping an eye [16:40:22] cool [16:40:54] yay. [16:42:54] andre__: yes, it says "4.0" grmbl [16:44:39] Mozilla quality! [16:46:33] need to figure out what the new table names are [16:46:38] or if the old ones can be skipped [17:55:59] twentyafterfour: about? [17:58:13] chasemp: yo [17:58:28] ran into an issue I think, I was noodling on it [17:58:38] and if I create a herald rule that CCs me on "every" for a task [17:58:45] and then someone tries to set a security-bug issue to public [17:58:54] I get cc'd on a non-priv-non-associated account [17:59:03] as herald applies it __before__ doing it's fixup on the ACL [17:59:26] so in essence, anyone can CC themselves if they can get an admin to try to public an issue using regular herlad rules [17:59:36] i.e. herald for anything here sucks [17:59:51] can we move that logic out of herald entirely and have it in teh same place as the other acl fixup via event? [18:00:28] and sicne CC == policy [18:00:33] bleh [18:00:35] hmm [18:00:50] yeah I can kill the herald rule entirely I guess [18:00:57] seems that would be best [18:01:02] herald policing itself is just unworkable [18:01:50] I guess we have to make a case to upstream that keeping the event api is kinda necessary for now (and I doubt they will kill the events any time too soon) [18:02:06] (agreed I doubt it goes anywhere for a long time) [18:02:15] dunno why I ()'d that really [18:02:37] if we seriously had to we could shim our own stuffs in the edit controller [18:02:44] and I think it would be ok, though not loveable [18:03:06] the way the events work is really nice ... it sets up the transactions, then passes the array of transaction objects to the event handler... the event handler can modify the list of transactions before they have any effect - something herald just doesn't handle properly at all [18:03:30] right [18:03:31] plus you end up with herald noise all over [18:03:34] wich can be good and bad [18:03:41] but impossible to control sanely [18:03:44] e.g. it's explicit that the event handler can override anything or leave well enough alone. it's very powerful and clean [18:04:22] herald is great for non-programmers to customize behavior but it's not a clean way to interact with the core at all [18:04:58] agreed my guess is they come to that conclusion as well as the userbase grows [18:04:59] and the core api is well designed so my event handler shouldn't break with upstream changes unless they totally overhaul the way transactions work [18:05:02] userland stuffs sure [18:05:48] the event handler is able to pass over transactions it doesn't understand without damaging anything, it only acts on transactions which it explicitly knows what to do about [18:06:13] is herald just a fancy event consumer? [18:06:31] the worst part is that I go in and replace any policy related changes with my own programmatically generated versions of the same (but only on creation not on edit) [18:07:31] herald doesn't work on the event system really, it's got it's own hooks into the internals of maniphest (and the other systems that support herald) ... herald is not abstracted away from the internals at all [18:07:56] ah pity, it would have been cool if it was just another consumer [18:08:01] and then it was all fleshing out events [18:08:12] so it's an entire event system all it's own but not general at all it's case-specific [18:08:40] so what do you think man? just move it all to teh event system and remove herald dependencies? [18:08:47] seems like the least whack-a-mole approach [18:08:47] the main drawback to herald though is it's too powerful ..so overriding it is difficult [18:09:16] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955542 (10Jalexander) Philippe or most staff accounts? Anyone with (WMF) in their mediawiki account. [18:09:25] yeah just ditch it for now, I think our needs are well handled with events [18:09:32] agreed, I'm on board [18:09:42] I even figured out how to log changes with a mock user the way herald does [18:10:00] oh nice actually I was going to ask if some log was possible [18:10:06] but I figured lots of trouble [18:10:31] not much trouble - it's actually necessary to log most of the changes I think [18:11:33] anything that's transactional needs an actor (user or mock user), content source (web/api/unknown), old value and new value [18:11:57] right [18:11:58] so gime about 20 minutes to delete herald [18:24:32] 3Phabricator: Migration of Mobile Web team to Phabricator - https://phabricator.wikimedia.org/T830#955647 (10Jdlrobson) It's not really clear to me what this bug means. We are using Phabricator exclusively for managing bugs now instead of Trello and we are now putting engineering specific tasks here instead of... [18:38:38] chasemp: ok should be ready ... gonna test real quick then I'll post it to gerrit [18:38:45] k [18:40:15] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955720 (10csteipp) Yeah, to reset 2fa, we really need a second identity proof other than the signin. * We should be issuing scratch tokens when 2fa is setup, so that's what users... [18:46:19] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955738 (10chasemp) >>! In T85706#955720, @csteipp wrote: > * I don't really like email, since email lets you reset the mediawiki password, so that basically reduces to "controls th... [18:47:37] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955740 (10valhallasw) >>! In T85706#955720, @csteipp wrote: > * If they are well known on irc, and have an identity with freenode, I think that would be a sufficient check This al... [18:49:30] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955744 (10chasemp) It is a high value target when we consider the operational data (serial numbers / vendor contacts / support contracts / etc) For the migrated RT content especia... [18:49:58] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955751 (10Chad) >>! In T783#955163, @chasemp wrote: > I _think_ we need to reindex for this, but there are some things incoming that require it as well and so I haven't done it yet (assuming very resource intensiv... [18:49:58] 3Phabricator: Migration of Mobile Web team to Phabricator - https://phabricator.wikimedia.org/T830#955752 (10Qgil) [18:55:24] 3Phabricator: Migration of Mobile Web team to Phabricator - https://phabricator.wikimedia.org/T830#955772 (10Qgil) p:5Normal>3Low This task tracks the complete migration of the Mobile Web team to Phabricator, leaving Trello behind. Following your reasoning, I just added T18 as blocker of this task, which a... [18:57:41] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955777 (10Qgil) >>! In T783#955542, @Jalexander wrote: > Philippe or most staff accounts? Anyone with (WMF) in their mediawiki account. If you start typing "Phi..." in the search field, Philippe already appears a... [19:02:23] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955801 (10Chad) How about mine ;-) MediaWiki username is "^demon", everything in Phab is "Chad" [19:02:40] 3Phabricator.org: Task says "Restricted Mailing List" instead of "wikibugs-l" - https://phabricator.wikimedia.org/T76988#955802 (10Qgil) [19:03:04] 3Legalpad, Phabricator: Make mediawiki username searchable - https://phabricator.wikimedia.org/T783#955804 (10jeremyb-phone) how about @Capt_Swing ? [19:07:54] Cannot access https://phabricator.wikimedia.org/T84941 (which is linked at https://secure.phabricator.com/T6367 ). No big deal at all, I just want to make sure that the policy is correct. [19:09:18] qgil, policy looks sane to me. [19:09:38] qgil: phabricator and wmf-nda groups and 2 users [19:09:55] ok, thanks [19:10:09] wait, I'm in the phabricator team [19:10:34] hmm. yes, you should be able to view it... [19:10:54] yea, looks like you should [19:10:59] Now I can... [19:11:36] ah, the policy was just changed by chasemp . Thanks [19:18:53] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955858 (10Florian) >>! In T85706#955720, @csteipp wrote: > * We should be issuing scratch tokens when 2fa is setup, so that's what users should use > * For developers, we can proba... [19:32:49] 3Phabricator.org, Phabricator: Do not send emails when importing changes to Diffusion - https://phabricator.wikimedia.org/T78154#955907 (10Aklapper) [19:32:50] 3Phabricator: Access denied when trying to view Diffusion commits - https://phabricator.wikimedia.org/T85047#955904 (10Aklapper) 5Open>3Resolved a:3Aklapper https://secure.phabricator.com/T6790 is resolved in upstream so closing as resolved here too. Will be fixed in this instance when the next code deploy... [19:43:09] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955926 (10valhallasw) Ah, I had not considered that. Looking through the Phab source, it's not entirely trivial to limit TOTP to WMF employees, but it might be possible to subclass... [19:45:51] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955932 (10Krenair) >>! In T85706#955926, @valhallasw wrote: > Ah, I had not considered that. Looking through the Phab source, it's not entirely trivial to limit TOTP to WMF employe... [19:47:09] Krenair: s/WMF employees/people with access to ops data/ [19:47:13] Krenair: potato/potato [19:47:40] still not quite there [19:47:40] in my head I actually read that as p-o-tato / pah-tato [19:47:56] interesting phenominon [19:49:11] Krenair: that's the context chasemp mentioned, and it's the context I'm referring to. Are there any other groups that need the extra protection? [19:49:43] security bugs [19:49:48] other private things I guess [19:49:52] I think maybe Krenair means taht wmf-nda has non-wmf folks (plenty of them) and security bugs [19:50:22] Krenair: security bugs also weren't protected by 2fa on bugzilla [19:50:35] neither was ops stuff in RT, I think? [19:50:55] I wouldn't be surprised if someone in ops or an admin has some task with entirely custom policies that don't fit any of our pre-set ones [19:53:40] 3Phabricator: Determine policy for Phabricator multi-factor authentication reset requests - https://phabricator.wikimedia.org/T85706#955944 (10valhallasw) Now that I think of it, the Gerrit commit solution also isn't perfect either; one could reset the wikitech password, then log in to Gerrit and change the keys... [19:53:48] doing 2FA is hard :-p [20:50:37] 3Wikimedia-General-or-Unknown, Code-Review: Implement a sane code-review process for MediaWiki JS/CSS pages on Wikimedia sites - https://phabricator.wikimedia.org/T71445#956103 (10Nemo_bis) [20:52:13] 3Wikimedia-General-or-Unknown, Code-Review: Implement a sane code-review process for MediaWiki JS/CSS pages on Wikimedia sites - https://phabricator.wikimedia.org/T71445#742207 (10Nemo_bis) I feel this report is //un cane che si morde la coda//. Unless someone summarises the (relevant parts of the) discussion ab... [21:54:33] ^d: can I have force-push access to https://gerrit.wikimedia.org/r/#/admin/projects/phabricator/extensions/security so that I can push the history that I've imported from another repo? I don't think it'll be very nice to push each historical commit as a new gerrit change and manually accept each one [21:56:10] <^d> {{done}} [21:56:26] ^d: thanks very much [21:56:30] <^d> yw [22:37:17] https://phabricator.wikimedia.org/T85047 says [Core Exception/PhutilBootloaderException] Include of '/srv/phab/libext/security/src/__phutil_library_init__.php' failed! [22:37:40] oh, the home as well [22:37:55] chasemp, twentyafterfour ^^^ [22:38:11] yeah [22:38:12] :/ [22:38:14] hey twentyafterfour [22:38:19] I think your map files are in teh wrong place [22:38:23] src vs not src [22:38:42] I copied them and it works [22:38:44] but that won't last [23:26:03] 3Engineering-Community, Code-Review, Team-Practices: How to prioritize code review of patches submitted by volunteers - https://phabricator.wikimedia.org/T78768#956677 (10Awjrichards) @Aklapper, @Qgil are there any specific asks of the Team Practices Group here, or did you just want to keep this on our radar? [23:33:37] chasemp, didn't last very long [23:34:21] same issue we are trying to resolve the root casuse [23:34:23] caus [23:34:24] e [23:53:00] 3Phabricator, operations: Create #site-incident tag and use it for incident reports - https://phabricator.wikimedia.org/T85889#956687 (10GWicke) 3NEW [23:53:43] 3Phabricator, operations: Create #site-incident tag and use it for incident reports - https://phabricator.wikimedia.org/T85889#956687 (10GWicke)