[Wikitech-l] Re: Sign up for the language community meeting on May 31st, 16:00 UTC

2024-05-29 Thread Srishti Sethi 
Hi all! This is a friendly reminder that the language community meeting is
coming up in two days. It is scheduled for Friday, May 31st, from 16:00 to
17:00 UTC. There will be three presentations around the state of language
research, Language Converter project and Incubator Conversations update.
There will also be time for technical Q If you want to bring a technical
discussion to the meeting, add it to the agenda document. Learn more here: <
https://www.mediawiki.org/w/index.php?title=Wikimedia_Language_engineering/Community_meetings#31_May_2024
>

Looking forward to your participation!

Cheers,

Jon, Mary, Oscar, Amir and Srishti
*Srishti Sethi*
Senior Developer Advocate
Wikimedia Foundation 



On Fri, May 3, 2024 at 5:09 PM Srishti Sethi  wrote:

> Hello all,
>
> The next language community meeting is scheduled in a few weeks - May 31st
> at 16:00 UTC. If you're interested, you can sign up on this wiki page: <
> https://www.mediawiki.org/w/index.php?title=Wikimedia_Language_engineering/Community_meetings#31_May_2024
> >.
>
> This is a participant-driven meeting, where we share language-specific
> updates related to various projects, collectively discuss technical issues
> related to language wikis, and work together to find possible solutions.
> For example, in the last meeting, the topics included the machine
> translation service (MinT) and the languages and models it currently
> supports, localization efforts from the Kiwix team, and technical
> challenges with numerical sorting in files used on Bengali Wikisource.
>
> Do you have any ideas for topics to share technical updates related to
> your project? Any problems that you would like to bring for discussion
> during the meeting? Do you need interpretation support from English to
> another language? Please reach out to me at sse...@wikimedia.org and add
> agenda items to the document here: <
> https://etherpad.wikimedia.org/p/language-community-meeting-may-2024>.
>
> We look forward to your participation!
>
> Cheers,
>
> Jon, Mary, Oscar, Amir and Srishti
>
> *Srishti Sethi*
> Senior Developer Advocate
> Wikimedia Foundation 
>
>
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Re: [Ops] Gerrit upgrade Monday June 3rd at 8am UTC

2024-05-29 Thread Gergo Tisza 
On Wed, May 29, 2024 at 3:14 PM Antoine Musso  wrote:

> User Suggested Edits
> ,
> an easy way for reviewers to suggest code changes which can be easily
> applied by the change owner. One can imagine CI would be able to offers
> suggestions as well (such as phpcb from PHP CodeSniffer or eslint?).
>

For CI it was already possible via the (now removed) robot comment feature,
but this seems quite a bit simpler. Thanks for your work on the Gerrit
upgrades!
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Re: Can we do better than just redirect HTTP API requests to HTTPS?

2024-05-29 Thread Brian Wolff 
I personally think the rather low risk is not worth the inconvinence,
especially since many uses of the API are unauthenticated.

If we did it, i think we should only do it for requests that actually have
credentials attached (cookie or oauth)

Just my 2 cents.

--
Brian

On Wednesday 29 May 2024, psnbaotg via Wikitech-l <
wikitech-l@lists.wikimedia.org> wrote:

> I noticed an interesting post on Hacker News:
> https://news.ycombinator.com/item?id=40504756 (https://jviide.iki.fi/http-
> redirects)
>
> Basically, this article argues that for reasons, API should "fail early",
> such as returning with 403 and revoking all credentials sent via plain
> text, rather than redirecting all HTTP requests to HTTPS.
>
> In my humble opinion, this article's point make perfect sense. Because we
> cannot expect an arbitrary client to follow HSTS and a simple typo can
> cause serious credential leak.
>
> I found that all our APIs (action API, Wikimedia REST, and even Wikimedia
> Enterprise) are doing redirects:
>
> ```
> $ curl -I "http://en.wikipedia.org/api/rest_v1/page/title/Earth;
> HTTP/1.1 301 Moved Permanently
> content-length: 0
> location: https://en.wikipedia.org/api/rest_v1/page/title/Earth
> server: HAProxy
> x-cache: cp5023 int
> x-cache-status: int-tls
> connection: close
>
> $ curl -I "http://en.wikipedia.org/w/api.php?action=query=
> info=Earth"
> HTTP/1.1 301 Moved Permanently
> content-length: 0
> location: https://en.wikipedia.org/w/api.php?action=query=
> info=Earth
> server: HAProxy
> x-cache: cp5023 int
> x-cache-status: int-tls
> connection: close
>
> $ curl -I http://api.enterprise.wikimedia.com/v2/snapshots
> HTTP/1.1 301 Moved Permanently
> Server: awselb/2.0
> Date: Wed, 29 May 2024 10:03:24 GMT
> Content-Type: text/html
> Content-Length: 134
> Connection: keep-alive
> Location: https://api.enterprise.wikimedia.com:443/v2/snapshots
>
> ```
>
> I'm asking security folks, should we consider making above changes, like
> those services listed in the article? Thanks you.
>
> Best regards,
> diskdance
> ___
> Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
> To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
> https://lists.wikimedia.org/postorius/lists/wikitech-l.
> lists.wikimedia.org/
>
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Can we do better than just redirect HTTP API requests to HTTPS?

2024-05-29 Thread psnbaotg via Wikitech-l 
I noticed an interesting post on Hacker News: 
https://news.ycombinator.com/item?id=40504756 
(https://jviide.iki.fi/http-redirects)

Basically, this article argues that for reasons, API should "fail early", such 
as returning with 403 and revoking all credentials sent via plain text, rather 
than redirecting all HTTP requests to HTTPS.

In my humble opinion, this article's point make perfect sense. Because we 
cannot expect an arbitrary client to follow HSTS and a simple typo can cause 
serious credential leak.

I found that all our APIs (action API, Wikimedia REST, and even Wikimedia 
Enterprise) are doing redirects:

```
$ curl -I "http://en.wikipedia.org/api/rest_v1/page/title/Earth;
HTTP/1.1 301 Moved Permanently
content-length: 0
location: https://en.wikipedia.org/api/rest_v1/page/title/Earth
server: HAProxy
x-cache: cp5023 int
x-cache-status: int-tls
connection: close

$ curl -I 
"http://en.wikipedia.org/w/api.php?action=query=info=Earth;
HTTP/1.1 301 Moved Permanently
content-length: 0
location: https://en.wikipedia.org/w/api.php?action=query=info=Earth
server: HAProxy
x-cache: cp5023 int
x-cache-status: int-tls
connection: close

$ curl -I http://api.enterprise.wikimedia.com/v2/snapshots
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Wed, 29 May 2024 10:03:24 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://api.enterprise.wikimedia.com:443/v2/snapshots

```

I'm asking security folks, should we consider making above changes, like those 
services listed in the article? Thanks you.

Best regards,
diskdance
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Re: [Ops] Gerrit upgrade Monday June 3rd at 8am UTC

2024-05-29 Thread Jesse Hathaway 
I'm really looking forward to User Suggested Edits
!
Thanks!


On Wed, May 29, 2024 at 8:14 AM Antoine Musso  wrote:

> Hello,
>
> I will be *upgrading Gerrit* from the 3.8 series to the 3.9 series. I
> have scheduled the upgrade for *Monday June 3rd at 8am UTC*. It is
> immediately after the UTC morning backport & config window.
>
> The upgrade requires the Gerrit service to be stopped for the duration of
> the upgrade. Given we do not need to reindex all the changes, the downtime
> should be just a few minutes.
>
> Gerrit 3.9 brings:
>
>- Support for diff3 rendering for changes having conflict markers (
>T359821 ) which corresponds
>to cgit merge.conflictStyle=diff3.
>- User Suggested Edits
>
> ,
>an easy way for reviewers to suggest code changes which can be easily
>applied by the change owner. One can imagine CI would be able to offers
>suggestions as well (such as phpcb from PHP CodeSniffer or eslint?).
>- Gerrit would now use "Revert^2" syntax when crafting a revert
>instead of chaining them as "Revert "Revert "Revert...".
>- And more UI changes
>
>
> The release notes: https://www.gerritcodereview.com/3.9.html
> The upgrade task: https://phabricator.wikimedia.org/T354887
> Deployment calendar entry
> 
>
> Antoine "hashar" Musso
> Wikimedia Release Engineering
> ___
> Ops mailing list -- o...@lists.wikimedia.org
> To unsubscribe send an email to ops-le...@lists.wikimedia.org
>
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/

[Wikitech-l] Gerrit upgrade Monday June 3rd at 8am UTC

2024-05-29 Thread Antoine Musso 

Hello,

I will be *upgrading Gerrit* from the 3.8 series to the 3.9 series. I 
have scheduled the upgrade for *Monday June 3rd at 8am UTC*. It is 
immediately after the UTC morning backport & config window.


The upgrade requires the Gerrit service to be stopped for the duration 
of the upgrade. Given we do not need to reindex all the changes, the 
downtime should be just a few minutes.


Gerrit 3.9 brings:

 * Support for diff3 rendering for changes having conflict markers
   (T359821 ) which
   corresponds to cgit merge.conflictStyle=diff3.
 * User Suggested Edits
   
,
   an easy way for reviewers to suggest code changes which can be
   easily applied by the change owner. One can imagine CI would be able
   to offers suggestions as well (such as phpcb from PHP CodeSniffer or
   eslint?).
 * Gerrit would now use "Revert^2" syntax when crafting a revert
   instead of chaining them as "Revert "Revert "Revert...".
 * And more UI changes
   

The release notes: https://www.gerritcodereview.com/3.9.html
The upgrade task: 
https://phabricator.wikimedia.org/T354887
Deployment calendar entry 



Antoine "hashar" Musso
Wikimedia Release Engineering
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/