Hey, As many of you probably already know, my Google Summer of Code project [0] aims at providing this exact "dial home" functionality, for both MediaWiki core and extensions. (The project's goal is wider than this, but this is included as one of the main features.)
> If MediaWiki dials home, it should be configurable in such a way that it can be turned off. There are instances in use in places that would prefer not to their presence known. Enterprise use in general fits this category. I totally agree here with Ryan. The idea is to have the "repository" where the version data is fetched is configurable, so it's possible to have other distributors then the WMF, and to turn of the feature entirely. I'm currently looking into the repository and package fetching parts do allow for such "dialling home". MediaWiki.org seems the obvious choice to have the main repository on. There are many ways to then provide the needed data. Personally I think the best approach would be to install Semantic MediaWiki (yes, I used the s-word!) so data from the extension pages can be queried and shown in a distribution metadata format. That might require a small extension for some new spacial pages, and some scripts to collect other existing version data and put it into the wiki. Is it possible to get SMW onto MW.org? This would also finally be a proof of concept of SMW on a WMF wiki, on which a lot of people have been waiting a long time now. With only a little over 3 weeks left in GSoC, I have little doubt this project will not be finished, so any help in any form is definitely welcome. [0] https://secure.wikimedia.org/wikipedia/mediawiki/wiki/Deployment Cheers -- Jeroen De Dauw * http://blog.bn2vs.com * http://wiki.bn2vs.com Don't panic. Don't be evil. 50 72 6F 67 72 61 6D 6D 69 6E 67 20 34 20 6C 69 66 65! -- On 30 July 2010 06:35, Tim Starling <tstarl...@wikimedia.org> wrote: > Cross-posted to > <http://techblog.wikimedia.org/2010/07/mediawiki-version-statistics/> > > Some kind people at Qualys have surveyed versions of open source web > apps present on the web, including MediaWiki. Here is the relevant > page from their presentation: > > http://wimg.co.uk/3jK.png > > For the original see: > > https://community.qualys.com/docs/DOC-1401 > > And the press release: > > <http://www.qualys.com/company/newsroom/newsreleases/usa/view/2010-07-28/> > > They make the point that 95% of MediaWiki installations have a > "serious vulnerability", whereas only 4% of WordPress installations > do. While WordPress's web-based upgrade utility certainly has a > positive impact on security, I feel I should point out that what > WordPress counts as a serious vulnerability does not align with > MediaWiki's definition of the same term. > > For instance, if a web-based user could execute arbitrary PHP code on > the server, compromising all data and user accounts, we would count > that as the most serious sort of vulnerability, and we would do an > immediate release to fix it. We're proud of the fact that we haven't > had any such vulnerability in a stable release since 1.5.3 (December > 2005). > > However in WordPress, they count this as a feature, and all > administrators can do it. Similarly, WordPress avoids the difficult > problem of sanitising HTML and CSS while preserving a rich feature set > by simply allowing all authors to post raw HTML. > > If you are running MediaWiki in a CMS-like mode, with whitelist edit > and account creation restricted, then I think it's fair to say that in > terms of security, you're better off with MediaWiki 1.14.1 or later > than you are with the latest version of WordPress. > > However, the statistics presented by Qualys show that an alarming > number of people are running versions of MediaWiki older than 1.14.1, > which was the most recent fix for an XSS vulnerability exploitable > without special privileges. There is certainly room for us to do better. > > We have a new installer project in development, which we hope to > release in 1.17. It includes a feature which encourages users to sign > up for our release announcements mailing list. But maybe we need to do > more. Should we take a leaf from WordPress's book, and nag > administrators with a prominent notice when they are not using the > latest version? Such a feature would require MediaWiki to "dial home", > which is controversial in our developer community. > > -- Tim Starling > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
