[Wikitech-l] MediaWiki version statistics

Cross-posted to Some kind people at Qualys have surveyed versions of open source web apps present on the web, including MediaWiki. Here is the relevant page from their presentation: http://wimg.co.uk/3jK.png For the original s

[Wikitech-l] MediaWiki version statistics

/me wrote: > Last time I heard about it, it had huge problems with security and > code quality. Did anything change positively in that area over the > last several months? If s***c developers believe that all Tim's > concerns have been addressed, they should resubmit it for review. Sorry, as Jero

Re: [Wikitech-l] MediaWiki version statistics

> We have a new installer project in development, which we hope to > release in 1.17. It includes a feature which encourages users to sign > up for our release announcements mailing list. But maybe we need to do > more. Should we take a leaf from WordPress's book, and nag > administrators with a pr

Re: [Wikitech-l] MediaWiki version statistics

Hey, As many of you probably already know, my Google Summer of Code project [0] aims at providing this exact "dial home" functionality, for both MediaWiki core and extensions. (The project's goal is wider than this, but this is included as one of the main features.) > If MediaWiki dials home, it

Re: [Wikitech-l] MediaWiki version statistics

On 30.07.2010, 17:44 Jeroen wrote: > I'm currently looking into the repository and package fetching parts do > allow for such "dialling home". MediaWiki.org seems the obvious choice to > have the main repository on. There are many ways to then provide the needed > data. Personally I think the bes

Re: [Wikitech-l] MediaWiki version statistics

On 30.07.2010, 18:20 /me wrote: > There's already http://www.mediawiki.org/wiki/Extension:MWReleases that does > server part of version checks for core And we forgot to update it when 1.16 was released, wheee! Added to release checklist now. -- Best regards, Max Semenik ([[User:MaxSem]]) _

Re: [Wikitech-l] MediaWiki version statistics

Hey, > There's already http://www.mediawiki.org/wiki/Extension:MWReleases that does server part of version checks for core, it could be tweaked to supply version information for extensions, too. Although that suffices for determining if your version is up to date or not, it does not allow for act

Re: [Wikitech-l] MediaWiki version statistics

On Fri, Jul 30, 2010 at 7:20 AM, Max Semenik wrote: > There's already http://www.mediawiki.org/wiki/Extension:MWReleases that does > server part of version checks for core, it could be tweaked to > supply version information for extensions, too. > It's being rewritten, FYI. -Chad __

Re: [Wikitech-l] MediaWiki version statistics

Hey, Can you provide some more information about that? Rewritten how? Cheers -- Jeroen De Dauw * http://blog.bn2vs.com * http://wiki.bn2vs.com Don't panic. Don't be evil. 50 72 6F 67 72 61 6D 6D 69 6E 67 20 34 20 6C 69 66 65! -- On 30 July 2010 17:20, Chad wrote: > On Fri, Jul 30, 2010 at 7:

Re: [Wikitech-l] MediaWiki version statistics

On Sat, Jul 31, 2010 at 12:28 AM, Jeroen De Dauw wrote: > Hey, > >> There's already http://www.mediawiki.org/wiki/Extension:MWReleases that > does server part of version checks for core, it could be tweaked to supply > version information for extensions, too. > > Although that suffices for determi

Re: [Wikitech-l] MediaWiki version statistics

On Sat, Jul 31, 2010 at 1:52 AM, Max Semenik wrote: > /me wrote: > >> Last time I heard about it, it had huge problems with security and >> code quality. Did anything change positively in that area over the >> last several months? If s***c developers believe that all Tim's >> concerns have been ad

Re: [Wikitech-l] MediaWiki version statistics

On Fri, Jul 30, 2010 at 11:44 PM, Jeroen De Dauw wrote: > ..snip.. > I totally agree here with Ryan. The idea is to have the "repository" where > the version data is fetched is configurable, so it's possible to have other > distributors then the WMF, and to turn of the feature entirely. > > I'm cu

Re: [Wikitech-l] MediaWiki version statistics

On Fri, Jul 30, 2010 at 10:28 PM, K. Peachey wrote: >  I would highly unrecommended having the update feature in there, we > already highly recommend against running as a db user with certain > admins rights amongst other things, this feature will probably end up > breaking more installs then upda

Re: [Wikitech-l] MediaWiki version statistics

On 1 August 2010 19:14, Aryeh Gregor wrote: > If I'm interpreting this right, you're saying that upgrades can break > stuff, so people should stick to versions with known security flaws. > This is a defensible position in practice, but it doesn't justify > making upgrades unnecessarily hard. I

Re: [Wikitech-l] MediaWiki version statistics

Hello Tim, I'd like to contribute a somewhat different (although I suppose common) perspective to this discussion. I help run a free-for-the-community shared webhosting service, and one of the services we have is "automatic installation" of common web applications for people who don't know very m

Re: [Wikitech-l] MediaWiki version statistics

Edward Z. Yang wrote: > We've noticed several things: > > - When Wordpress 3.0 came out, we received several support tickets > asking us when we would be pushing an upgrade, and asked us if > anything bad would happen if they went ahead and upgraded their > install themselves

Re: [Wikitech-l] MediaWiki version statistics

Excerpts from Platonides's message of Sun Aug 01 17:39:19 -0400 2010: > I'm not sure that's comparable. If WordPress complains for being an old > version, unsavy users will want it to be upgraded for them. Whereas if > they watched the relevant mailing list they probably have the required > skills

Re: [Wikitech-l] MediaWiki version statistics

Edward Z. Yang wrote: >> There's probably some interesting knowledge on looking how they patched >> it, but I don't know how to easily extract it. > > A good starting point would probablyb e "most edited files". > > Cheers, > Edward I'm open for any data :) My guess is that the most edited files

Re: [Wikitech-l] MediaWiki version statistics

On Mon, Aug 2, 2010 at 4:14 AM, Aryeh Gregor wrote: > If I'm interpreting this right, you're saying that upgrades can break > stuff, so people should stick to versions with known security flaws. > This is a defensible position in practice, but it doesn't justify > making upgrades unnecessarily har

Re: [Wikitech-l] MediaWiki version statistics

On Sun, Aug 1, 2010 at 6:27 PM, K. Peachey wrote: > No I'm saying not to use a automated update version within a extension > which for example has been shown to break things in other web based > packages (Wordpress has apparently fixed it since the horrible times > when i last attempted). I don't

Re: [Wikitech-l] MediaWiki version statistics

On 2 August 2010 00:29, Aryeh Gregor wrote: > On Sun, Aug 1, 2010 at 6:27 PM, K. Peachey wrote: >> So every-time someone that creates/modifies a extension wants to >> update its version number? which is why it was recommended to go wiki >> base, but that as well has it flaws. > I really don't t

Re: [Wikitech-l] MediaWiki version statistics

> A quick glance at the WP site docs didn't answer the question of how (or if) they secure this process. Asking would probably be good (whoever's doing the updater work). I've been looking at how WP works here and concluded this is basically not documented at all (from a developers perspective). O

Re: [Wikitech-l] MediaWiki version statistics

Hoi, The big problem with upgrading MediaWiki is the upgrading of extensions. It is not documented anywhere if extensions will work with a specific release of MediaWiki. Being able to install extensions is a great thing when you know upfront that the extensions you are interested in will actually w

Re: [Wikitech-l] MediaWiki version statistics

2010/8/2 Gerard Meijssen : > Hoi, > The big problem with upgrading MediaWiki is the upgrading of extensions. It > is not documented anywhere if extensions will work with a specific release > of MediaWiki. Being able to install extensions is a great thing when you > know upfront that the extensions

Re: [Wikitech-l] MediaWiki version statistics

> We branch and tag extensions along with versions of MediaWiki, so the > code found at > http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_5/extensions/ > is supposed to work with MW 1.15.5. However, this assumes that the > trunk version of each extension worked with the trunk version of MW

Re: [Wikitech-l] MediaWiki version statistics

> I've been looking at how WP works here and concluded this is > basically not > documented at all (from a developers perspective). On the WP > IRC nobody > seems to know anything about it, and my looking through the > code itself has > gotten me few insights into how updates and installation is

Re: [Wikitech-l] MediaWiki version statistics

On Fri, Jul 30, 2010 at 06:35, Tim Starling wrote: > However, the statistics presented by Qualys show that an alarming > number of people are running versions of MediaWiki older than 1.14.1, > which was the most recent fix for an XSS vulnerability exploitable > without special privileges. There is

Re: [Wikitech-l] MediaWiki version statistics

Hoi, Pointing out that the maintainer of an extension is responsible for a proper functioning of an extensions tells me who to blame. For a tool intended to upgrade a MediaWiki environment this is hardly relevant particularly for the extensions that the WMF does not run itself there is no way of k

Re: [Wikitech-l] MediaWiki version statistics

On 02.08.2010, 18:01 Jacopo wrote: > My gut feeling is that the "preference" for 1.12 is simply due to its > inclusion in Debian stable [1]. The maintainer seems to be actively > backporting security fixes [2], so while I agree that these versions > may enjoy less community support, they should no

Re: [Wikitech-l] MediaWiki version statistics

> Would it not be enough to hash all extensions on the distributor side, and > to check the hash sum on the client side using https for the connection? I guess this would suffice for ensuring integrity, but what about the other distribution meta-data? Where to get it from, how to manipulate it, an

Re: [Wikitech-l] MediaWiki version statistics

Jeroen De Dauw wrote: >> Would it not be enough to hash all extensions on the distributor side, and >> to check the hash sum on the client side using https for the connection? > > I guess this would suffice for ensuring integrity, but what about the other > distribution meta-data? Where to get it

Re: [Wikitech-l] MediaWiki version statistics

On 03/08/10 00:01, Jacopo Corbetta wrote: > I haven't read all the documents, but have these researchers taken > into account backported fixes? No. Their work mostly revolves around defeating version number obfuscation by correlating various properties of the application with the version number. T

Re: [Wikitech-l] MediaWiki version statistics

On Thu, Aug 5, 2010 at 10:13 AM, Tim Starling wrote: > Or indeed, that they don't create > new bugs that are even worse (as Kurt Roeckx did with his famous fix > for some spurious valgrind warnings in OpenSSL). > The onus isn't 100% on Debian, partial blame can be on the OpenSSL team for not sayi

Re: [Wikitech-l] MediaWiki version statistics

On Thu, Aug 5, 2010 at 11:37 AM, OQ wrote: > The onus isn't 100% on Debian, partial blame can be on the OpenSSL > team for not saying "Hey that's a stupid idea" when he asked about his > 'fix'. The one applying the patch bears full responsibility for what happens. If they don't understand the co