[Wikitech-l] Maintenance release: 1.31.12

[Sam Reed]

The 1.31.12 version fixes the issue with the backports in the
1.31.11 release.

The patches linked here need applying on top of the previous patches for
1.31.11. See the previous email for those patches. The full
downloads here contain all the previous fixes from the security and
maintenance release.

Once again, I apologise for the inconvenience of the issues with the
previous release.

**
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.12.tar.gz

Patch to previous version (1.31.11):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.12.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Security and maintenance release: 1.31.11 / 1.35.1

[Sam Reed]

I would like to announce the release of MediaWiki 1.31.11 and 1.35.1!

These releases also serve as a maintenance release for these branches.
Numerous fixes have been backported into 1.35, including some for PHP 8.0
support (though we are not declaring full PHP 8.0 support yet).

T268894 doesn't apply to MediaWiki 1.31, as the code was added in 1.35.
Also, only one of the two fixes of T268938 apply to MediaWiki 1.31, as the
code was not added until MediaWiki 1.33.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

== Security fixes ==
* (T268894, CVE-2020-35474) SECURITY: Message
recentchanges-legend-watchlistexpiry can contain raw html.
* (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current
and userrights-expiry-none can contain raw html.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can
output raw html.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log
entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions
and user pages of hidden users and missing users.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T268894
* https://phabricator.wikimedia.org/T268917
* https://phabricator.wikimedia.org/T268938
* https://phabricator.wikimedia.org/T205908
* https://phabricator.wikimedia.org/T120883

== Release notes ==

Full release notes for 1.31.11:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.35.1:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

For information about how to upgrade, see


**
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz

Patch to previous version (1.31.10):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz

Patch to previous version (1.35.0):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Early heads-up! Call for projects and mentors for Google Summer of Code 2021 and Outreachy Round 22 begins

[Srishti Sethi]

Hello everyone,

Wikimedia will be participating in the Google Summer of Code <
https://www.mediawiki.org/wiki/Google_Summer_of_Code> [1] 2021 and
Outreachy  [2] Round 22!

This is an early heads-up to potential mentors interested in participating
in these programs – if you would like to mentor a coding or non-coding
(documentation, design, research, outreach, translation, etc.) project,
share your ideas in a comment on this Phabricator task: <
https://phabricator.wikimedia.org/T270429> [3]

We will reach out to you with more formal steps in January! In the
meanwhile, here are some relevant links for you to explore:

* A recent blog post highlighting one of our intern's experience
participating in Outreachy: <
https://techblog.wikimedia.org/2020/08/26/lalithas-story-an-outreachy-intern-shares-her-experience/>
[4]

* Roles and responsibilities of Google Summer of Code and Outreachy
mentors:  [5], <
https://www.mediawiki.org/wiki/Google_Summer_of_Code/Mentors> [6]

* Ongoing projects work via Outreachy Round 21: <
https://www.mediawiki.org/wiki/Outreachy/Round_21> [7]

Looking forward to your participation!

Cheers,

Srishti

[1] https://www.mediawiki.org/wiki/Google_Summer_of_Code

[2] https://www.mediawiki.org/wiki/Outreachy

[3] https://phabricator.wikimedia.org/T270429

[4]
https://techblog.wikimedia.org/2020/08/26/lalithas-story-an-outreachy-intern-shares-her-experience/

[5] https://www.mediawiki.org/wiki/Outreachy/Mentors

[6] https://www.mediawiki.org/wiki/Google_Summer_of_Code/Mentors

[7] https://www.mediawiki.org/wiki/Outreachy/Round_21



*Srishti Sethi*
Senior Developer Advocate
Wikimedia Foundation 
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] TechCom meeting 2020-12-16

[Daniel Kinzler]

Ariel just pointed out that the original mail had the wrong link for the RFC
ticket. Sorry about that The correct link to the RFC about PageIdentity is:
https://phabricator.wikimedia.org/T208776

-- 

Daniel Kinzler
Principal Software Engineer, Core Platform
Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] TechCom meeting 2020-12-16

[Daniel Kinzler]

Am 17.12.20 um 14:25 schrieb Daniel Kinzler:
> My original proposal was to change the signature of getId() to getId( $wikiId
> = false ), to assert that the PageIdentity actually belongs to the wiki the
> caller expects.


I made a patch exploring that option:
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/650126.


It's much simpler, but it relies on runtime assertions rather than type hints.

-- 

Daniel Kinzler
Principal Software Engineer, Core Platform
Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] TechCom meeting 2020-12-16

[Daniel Kinzler]

> RFC: Introduce PageIdentity to be used instead of WikiPage.
>
>   * https://phabricator.wikimedia.org/T259771
>   * Daniel to document concern about adopting false advertisement.
>   * Daniel to add some kind of intermediary Local-only interface to adopt
> first, then on Last Call until Jan 6.
>
In the meeting yesterday, Timo and I discussed how to best represent the idea
that a PageIdentity (or PageRecord) may represent a page on another wiki (to
improve cross-wiki support), but most code that currently uses a Title or
WikiPage (and would in the future take a PageIdentity or PageRecord) is not
aware of that.

My original proposal was to change the signature of getId() to getId( $wikiId =
false ), to assert that the PageIdentity actually belongs to the wiki the caller
expects.

Timo preferred to represent this using dedicated types like LocalPageIdentity,
so the type hint would ensure assumptions are correct.  I pushed an experimental
patch that adds the "local" variant of the relevant interfaces and classes:
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/650112

This complicates the type hierarchy quite a bit, I'm not sure it's worthwhile. I
personally like such a a fine grained system of types to represent different
guarantees, but I have gotten pushback about it in the past. If it ends up
confusing people or putting them off, it may do more harm than good.

It would be helpful for me to hear what others think of this approach before I
put this on last call as discussed yesterday.

-- daniel



> RFC: Drop support for older database upgrades
>
>   * https://phabricator.wikimedia.org/T259771
>   * Looks good to go, but we already have two RFCs on Last Call.
>   * Expected to go on Last Call in January.
>
>
> Upcoming holidays
>
> There will also be no TechCom triage meeting on 23 December and 30 December
> due to holidays. The next triage and review will be in the week of 6 January
> 2021.
>
>
> Next week IRC office hours
>
> No IRC discussion scheduled for next week.
>
> You can also find our meeting minutes at
> https://www.mediawiki.org/wiki/Wikimedia_Technical_Committee/Minutes
>
> -- Timo
>
>
> On Tue, Dec 15, 2020 at 12:49 PM Niklas Laxström  > wrote:
>
> This is the weekly TechCom board review in preparation of our meeting on
> Wednesday. If there are additional topics for TechCom to review, please
> let us know by replying to this email. However, please keep discussion
> about individual RFCs to the Phabricator tickets.
>
> Activity since Tuesday 2020-12-08 on the following boards:
>
> https://phabricator.wikimedia.org/tag/techcom/
> https://phabricator.wikimedia.org/tag/techcom-rfc/
>
> Committee inbox: (none)
>
> Committee board activity:
>
>   * T42787  Remove legacy ajax
> interface
>   o I moved from Inbox to Watching
>   * T267213  Create WikiTeq
> group on Gerrit
>   o Kizule is asking for an update.
>   o It seems there are two things to do: create the group and update
> the policy.
>
> New RFCs: (none)
>
> Phase progression: (none)
>
> IRC meeting request: (none)
>
> Other RFC activity:
>
>   * T263841  RFC: Expand API
> title generator to support other generated data
>   o There is a new proposal text. Please comment.
>   * T259771 : RFC: Drop support
> for database upgrade older than two LTS releases.
>   o Discussion on the task. To me it looks mostly in favor or
> commenting that some of the problems are not fully solved by this
> proposal.
>   * T268326  RFC: Amendment to
> the Stable interface policy (November 2020)
>   o Feedback given about the proposed 3 month minimum period
>   * T119173 : RFC: Discourage
> use of MySQL's ENUM type.
>   o Amir showed how to automatically generate on-wiki documentation
> for tables.
>   * T133452 : RFC: Create
> temporary accounts for anonymous editors.
>   o Many comments after Tim proposed to use cloaks (see his comment in
> the task for details)
>   * T214362 : RFC: Store
> WikibaseQualityConstraint check data in persistent storage.
>   o Krinkle asked for clarifications. Lucas responded with a comment
> and Lydia offered to have it explained in a call.
>   * T208776 : RFC: Introduce
> PageIdentity to be used instead of WikiPage.
>   o Krinkle and Daniel discuss implementation details in context o