[Wikitech-l] Maintenance release: 1.31.14

[Sam Reed]

The 1.31.14 version fixes an issue with the backports in the 1.31.13
release.

The patches linked here need applying on top of the previous patches for
1.31.12. See the previous email for those patches. The full downloads here
contain all the previous fixes from the security and maintenance release.

Once again, I apologise for the inconvenience of the issues with the
previous release. Going forward, we're going to be looking to run more
testing on the tarballs (in this case, static analysis via Phan) to
hopefully prevent these issues in future.

**
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.zip

Patch to previous version (1.31.13):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.14.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.14.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Security and maintenance release: 1.31.13 / 1.35.2

[Sam Reed]

I would like to announce the release of MediaWiki 1.31.13 and 1.35.2!

These releases also serve as a maintenance release for these branches.
Numerous fixes have been backported into 1.35, including some for PHP 8.0
support (though we are not declaring full PHP 8.0 support yet).

This is the first MediaWiki release where zip files are included too. This
is due to some issues with the tarballs for some users with certain
extraction applications.

Composer 2.0 is also now supported on MediaWiki 1.35.2.

MediaWiki also has a new logo as of these releases.

T270453 does not apply to MediaWiki 1.31.13, as VisualEditor is not
bundled. However the patch will be backported to the 1.31 branch if you use
VisualEditor, and you should pick up the update from the usual places.

T279451 also does not apply to MediaWiki 1.31.13, as Parsoid is not
bundled. If you use the node.js service, it is recommended to update this.

T276843 has been fixed in different ways on MediaWiki 1.31.13 and MediaWiki
1.35.2. On the former, we have just disabled the known vulnerable lexers.
On 1.35.2, we have upgraded pygments from 2.5.2 to 2.7.4.

While tarballs have already been uploaded, git tags will follow later on
today.

An "MediaWiki Extensions Security Release Supplement" email will follow
this one.

== Security fixes ==
* (T270453, CVE-2021-30153) SECURITY: ApiVisualEditor leaks info about
hidden users.
* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection
they have right to do so via action=protect.
* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user
can create pages.
* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast
double move.
* (T276843, CVE-2021-20270, CVE-2021-27291) SECURITY: Various
SyntaxHighlight lexers are vulnerable to DoS.
* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access
Special:ResetTokens.
* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-*
messages on Special:NewFiles.
* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages
onChangesList pages.
* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for
inserting mostly arbitrary  tags.

== Links to all mentioned tasks ==
* https://phabricator.wikimedia.org/T270453
* https://phabricator.wikimedia.org/T270713
* https://phabricator.wikimedia.org/T270988
* https://phabricator.wikimedia.org/T272386
* https://phabricator.wikimedia.org/T276843
* https://phabricator.wikimedia.org/T277009
* https://phabricator.wikimedia.org/T278014
* https://phabricator.wikimedia.org/T278058
* https://phabricator.wikimedia.org/T279451

== Release notes ==

Full release notes for 1.31.13:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_31/RELEASE-NOTES-1.31
https://www.mediawiki.org/wiki/Release_notes/1.31

Full release notes for 1.35.2:
https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_35/RELEASE-NOTES-1.35
https://www.mediawiki.org/wiki/Release_notes/1.35

For information about how to upgrade, see


**
Download:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.tar.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.zip

Patch to previous version (1.31.12):
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.gz
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.zip.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.gz.sig
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.13.patch.zip.sig

Public keys:
https://www.mediawiki.org/keys/keys.html

**
Download:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.zip

Download without bundled extensions:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.tar.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.zip

Patch to previous version (1.35.1):
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.gz
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.2.patch.zip

GPG signatures:
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.tar.gz.sig
https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.2.zip.sig
https://releases.wikimedia.org/mediawiki/1.35

[Wikitech-l] 2021-04-07 Scrum of Scrums meeting notes

[Grace Gellerman]

https://www.mediawiki.org/wiki/Scrum_of_scrums/2021-04-07

= 2021-04-07 =

== Callouts ==
* RelEng: Note that the MediaWiki 1.36 branch will happen in the next day
or so. Next week's train is the first of 1.37.0-wmf.X.
* RelEng: Backport deployment training is available, the invite is in the
deployment calendar on gmail:
wikimedia.org_rudis09ii2mm5fk4hgdjeh1...@group.calendar.google.com
* …

== Gerrit patches or GitHub Pull Requests for reviews or feedback ==

*

=== No updates ===
Community Tec, Anti-Harassment Tools, Editing, Product Infrastructure,
Parsing, Language, Inuka, Analytics, Cloud Services, Platform, Performance,
Quality & Test, Security
=== '''No notes provided''' ===

== SoS Meeting Bookkeeping ==
* Updates:

== Product ==

=== Growth ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** Continuing work on Add Link https://wikitech.wikimedia.org/wiki/Add_Link
** Continuing to work on on-wiki configuration
** Continuing design of mentor dashboard
https://www.mediawiki.org/wiki/Growth/Mentor_dashboard
** Deploying Growth features as opt-in to tawiki, mswiki and simplewiki

=== iOS native app ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates: Beta is out.

=== Android native app ===
* Blocked by:
* Blocking:
* Thank yous: Miriam for the research and PET for all your help getting
image recommendations ready.
* Updates: Timeline for image recommendations MVP release is set - should
be out to all users in 4 weeks.

=== Web ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** Continuing to onboard new hires!
** Continuing our work on the language switcher instrumentation and A/B test
** Fixing a regression in the SearchSatisfaction instrument for the WVUI
search autocomplete treatment:
https://phabricator.wikimedia.org/T274869#6963147 onward
** Finalising new CSS folder structure in Vector:
https://phabricator.wikimedia.org/T264309.

=== Structured Data ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** Special:MediaSearch is now the default search UI on Wikimedia Commons
for anonymous users
** Working on moving the MediaSearch UI code into a standalone extension.
This will include the structured data team's library of reusable Vue
components. Will announce this when the move happens.

=== Abstract Wikipedia ===
* Blocked by:
** None
* Blocking:
** None known.
* Thank yous:
** Architecture for their on-going advice and support through some thorny
issues.
* Updates:
** We closed Phase γ; we're now working on Phase δ (delta):
https://meta.wikimedia.org/wiki/Abstract_Wikipedia/Phases
*** This is where we'll tie the back-end function orchestrator to the
front-end MW stack.

=== Library ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** Continued work on partner description translations and The Wikipedia
Library extension
** New hompage designs are almost done, and work is starting on the logged
in experience

=== Vue.js ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** Starting the technical decision-making process for introducing a
front-end build step - https://phabricator.wikimedia.org/T279108
** Storybook updates to WVUI: https://gerrit.wikimedia.org/r/c/wvui/+/676236

== Technology ==

=== Fundraising Tech ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** un-forking CiviCRM build tool to use upstream version in our CI:
https://phabricator.wikimedia.org/T277500
** More work on email prefs page https://phabricator.wikimedia.org/T268510
** Planning for integration with new API of backup card processor
** CiviCRM contact deduplication enhancements
** Better error handling for CentralNotice invalid banner name:
https://phabricator.wikimedia.org/T173782
** Audit / reconciliation file processing improvements:
https://phabricator.wikimedia.org/T277244,
https://phabricator.wikimedia.org/T265545


=== Engineering Productivity ===

 Release Engineering 
* Blocked by:
** Wikidata: Migration of CI testing from stretch to buster is known broken
in Wikidata (T279068).
* Blocking:
** Fundraising tech might be reaching out for image tweaks
* Thank yous:
** James for pointing out we were behind on the 1.36 branch cut :)
* Updates:
** Note that the MediaWiki 1.36 branch will happen in the next day or so.
Next week's train is the first of 1.37.0-wmf.X.
** Backport deployment training is available, the invite is in the
deployment calendar on gmail:
wikimedia.org_rudis09ii2mm5fk4hgdjeh1...@group.calendar.google.com
** [All] Deployments/Covid-19
https://wikitech.wikimedia.org/wiki/Deployments/Covid-19
** Train Health
*** Last week: 1.36.0-wmf.37 [[phab:T274943]] 
*** This week: 1.36.0-wmf.38 [[phab:T278344]] 
*** This week: 1.37.0-wmf.1 [[phab:T278345]] 

=== Search Platform ===
* Blocked by:
* Blocking:
* Thank yous:
* Updates:
** Recover lexemes on wdqs1009 - https://phabricator.wikimedia.org/T276784
** Report latency metric to the wdqs-ui from the wdqs streaming updater -
https://phabricator.wikimedia.org/T277637
** Reindex Khmer wikis to enable Khmer syllable reorde

[Wikitech-l] Summary of this week's deployment of 1.36.0-wmf.38: not there yet

[Lars Wirzenius]

(This is almost a repeat of last week's train summary. It's again a
short week and the train is still running.)

This is a summary of this week's deployment of the 1.36.0-wmf.38
branch of MediaWiki and its extensions (also known as "the train").
The primary person in charge this week is Dan Duvall, with Mukunda
Modell as backup, both from the Release Engineering team.

The summary task for this week is
https://phabricator.wikimedia.org/T278344 .

This week's deployment is still ongoing. The train is at group 1, and
will hopefully move to group 2 later today, but I'm writing this ahead
of time due to me being in an unfortunate time zone (hello from the
future!). As of writing this email, there are no blocker tasks. In
fact, there doesn't seem to have been any this week. None I say. NONE!
Well okay, a couple of things were added tentatively, but dropped as
blockers after further investigation.

Amir Sarabadani reported a risky change in this train. Special thanks!
Forewarned is better than surprised.

As usual, a whole bunch of people helped to find, triage, analyze,
fix, or work around problems this. Release Engineering thanks
everyone, without help we wouldn't be able to deploy MediaWiki.

- Amir Sarabadani (WMDE)
- Anne Tomasevich
- Bartosz Dziewoński
- Carly Bogen
- Cormac Parle
- C. Scott Ananian
- Jon Robson
- Lucas Werkmeister
- Umherirrender

There may have been other people, and if so, I apologize for not
including them on the list above.

Have a good weekend. Be well. Be safe.

For more information, please see:

- https://phabricator.wikimedia.org/T278344
- https://wikitech.wikimedia.org/wiki/Heterogeneous_deployment/Train_deploys

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Fatal exception when calling replaceVariables() from parser hook, after upgrade to MW 1.34

[Máté Szabó]

Hi Mark,

Yeah, newChild() expects a preprocessor node instance (rather than the raw 
arguments array itself) for the arguments, which can be obtained by calling 
Preprocessor::newPartNodeArray() with the given set of arguments.

For Parsoid-PHP and the potential upgrade work it requires, it is probably 
something that will need to be addressed eventually, but from what I 
understand, there’s plenty of time until then, so it should not be an immediate 
concern. :)

Best,
Máté Szabó 
Sr. Software Engineer
he - him - his

Fandom Poland sp. z o.o. z siedzibą w Poznaniu, ul. Abp. A. Baraniaka 6
Sąd Rejonowy Poznań – Nowe Miasto i Wilda w Poznaniu, VIII Wydział Gospodarczy 
Krajowego Rejestru Sądowego, KRS 254365
NIP: 5252358778
Kapitał zakładowy: 50.000,00 złotych

> On 8 Apr 2021, at 02:44, Mark Clements (HappyDog)  
> wrote:
> 
> "M�t� Szab�"  wrote in message 
> news:80e88bac-ae9b-42ae-a0ba-834a39a7a...@wikia-inc.com...
> 
> 
> Hi M�t�,
> 
> I know it's been a while, but I've only now found some time to work on this 
> in any depth.
> 
>> The DOM-based wikitext preprocessor (Preprocessor_DOM class and friends)
>> was deprecated in MediaWiki 1.34 and removed in MediaWiki 1.35 as part of
>> the Wikimedia Parsing Team's work around Parsoid-PHP.[1]
> 
> I guess that explains why things changed in MW 1.34, specifically.
> 
>> In the short/medium term, the easiest fix to keep your code working would 
>> be to
>> use the other preprocessor implementation (class Preprocessor_Hash and 
>> friends)
>> instead.
> 
> I think this is what I have now done.  The solution I implemented was to 
> replace the following line:
> 
>$NewFrame = new PPTemplateFrame_DOM($Frame->preprocessor,
>$Frame, array(), $Vars, 
> $Frame->title);
> 
> With this:
> 
>if (is_a($Frame, "PPFrame_Hash"))
>$TemplateFrameClass = "PPTemplateFrame_Hash";
>else
>$TemplateFrameClass = "PPTemplateFrame_DOM";
> 
>$NewFrame = new $TemplateFrameClass($Frame->preprocessor,
>$Frame, array(), $Vars, 
> $Frame->title);
> 
> This seems to work on both MW versions I am testing on (1.29 and 1.34) and 
> fits-in with your explanation, above.
> 
>> Since your code already has access to a PPFrame instance,
>> you can also try invoking its newChild() method to construct a
>> new child frame with your arguments, instead of creating the
>> instance directly.
> 
> I couldn't get this to work.  I needed to pass additional arguments into the 
> constructor, but got an error if I passed in an array of string => string 
> pairs and there was no documentation about how to convert such an array into 
> a format that the function would accept, so I gave up on this approach.
> 
>> In the long term, the legacy wikitext preprocessor will be removed, so
>> you may want to reach out to the Parsing Team[2] to find out how you
>> can make your code ready for Parsoid-PHP.
> 
> Based on that comment, I suspect that further upgrade work will be required 
> in due course, but at least I have solved the immediate problem for now!
> 
> Thanks for your help,
> 
> - Mark Clements
> (HappyDog)
> 
> 
> 
> 
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l