[Wikitech-l] TechCom Radar, 2018-03-14

2018-03-15 Thread Kate Chapman
Hi All, Here are the minutes from this week's meeting: * RFC Approved: Whitespace stripping * Reminder RFC on Last Call (closing on 2018-03-21 at 3pm PST (21:00 UTC, 22:00 CET)): Normalize change tag schema

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-15 Thread Eran Rosenthal
Lego already did a script to verify no external resources are loaded: https://phabricator.wikimedia.org/T71519 I think there is a Jenkins job running it on regular basis On Thu, Mar 15, 2018 at 6:30 AM, MZMcBride wrote: > David Gerard wrote: > >What ways are there to include

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread Stas Malyshev
Hi! > PHP7's expectations seem like they started fixing those issues, although > eval()-like use is still an option and exception-throwing seems to not be > the default. eval mode is deprecated in 7.2 which means that nobody should use it anymore. It's likely would not be deleted until the

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread Stas Malyshev
Hi! > But I worry about the perf implications of these lines of code. I don't > want these assertions to be used to track errors in production mode. > > PHP7 introduced expectations which permit to have zero-cost assert() [1] > Looking at the MW codebase we don't seem to use assert frequently

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread David Causse
On Thu, Mar 15, 2018 at 3:57 PM, Brad Jorsch (Anomie) wrote: > > > PHP7's expectations seem like they started fixing those issues, although > eval()-like use is still an option and exception-throwing seems to not be > the default. > indeed I must admit that it's rather

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread Brad Jorsch (Anomie)
On Thu, Mar 15, 2018 at 10:39 AM, David Causse wrote: > The biggest take-away (for me) of the discussion is: > Pros: > - perf: zero-cost assertions > Cons: > - the benefits of zero-cost assertion is not worth the risk in a moving > code-base like MW. > The biggest

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread David Causse
The biggest take-away (for me) of the discussion is: Pros: - perf: zero-cost assertions Cons: - the benefits of zero-cost assertion is not worth the risk in a moving code-base like MW. The argument is that even in the case of assert being used properly (to expose strong expectations that cannot be

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread Brad Jorsch (Anomie)
On Thu, Mar 15, 2018 at 9:42 AM, David Causse wrote: > Looking at the MW codebase we don't seem to use assert frequently (only 26 > files [2] ). > We generally use the wikimedia/assert library[3] instead. That's used a lot more often.[4] The README.md for that library

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread Cormac Parle
Was the conclusion “don’t use assert()”? It’s not really that clear to me (fwiw I've always felt a bit squiffy about assert()s in production code, because it’s easy to make a php config mistake and get errors happening all over the place) > On 15 Mar 2018, at 14:17, David Causse

Re: [Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread David Causse
Replying to myself: I just found some discussions here: https://lists.gt.net/wiki/wikitech/378676 I bet that the new assert features in PHP7 don't change the conclusions here, so please ignore my e-mail and sorry for the noise. On Thu, Mar 15, 2018 at 2:42 PM, David Causse

[Wikitech-l] PHP7 expectations (zero-cost assertions)

2018-03-15 Thread David Causse
Hi, Sometimes I find adding assert() calls in my code very handy for various reasons: - failures in development mode on some complex code where exposing all the details to unit tests is sometimes hard and/or pointless - readability of the code But I worry about the perf implications of these

[Wikitech-l] 2018-03-14 Scrum of Scrums meeting notes

2018-03-15 Thread Grace Gellerman
https://www.mediawiki.org/wiki/Scrum_of_scrums/2018-03-14 = 2018-03-14 = = date = == Callouts == * Fundraising campaigns https://meta.wikimedia.org/wiki/CentralNotice/Calendar - next up: Netherlands 2018-04-03 through 2018-05-01 * [Performance] Editing: Someone familiar with VisualEditor should

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-15 Thread Gergo Tisza
On Wed, Mar 14, 2018 at 9:14 AM, Jon Robson wrote: > It has always made me a little uneasy that there are wiki pages where > JavaScript could potentially be injected into my page without my approval. > To be honest if I had the option I would disable all site and user