Re: [Wikitech-l] 14 January 2020 security incident on Phabricator

[David Sharpe]

That conversation helped provide more clarity.  Thank you for taking the time 
to respond!



> On Jan 20, 2020, at 11:30 PM, Pine W  wrote:
> 
> Thanks for the updates, transparency, and timely notifications.
> 
> I hope that I didn't sound like I was trying to be a pest earlier in this
> thread. What may have been clear to people who are familiar with
> Phabricator 2FA was not clear to me at the time.
> 
> Pine
> ( https://meta.wikimedia.org/wiki/User:Pine )
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] 14 January 2020 security incident on Phabricator

[Pine W]

Thanks for the updates, transparency, and timely notifications.

I hope that I didn't sound like I was trying to be a pest earlier in this
thread. What may have been clear to people who are familiar with
Phabricator 2FA was not clear to me at the time.

Pine
( https://meta.wikimedia.org/wiki/User:Pine )
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] 14 January 2020 security incident on Phabricator

[Mukunda Modell]

The plan is as follows:

Sometime in the near future, we will be invalidating the sessions of anyone
who has an auth factor which was potentially affected. If you were one of
the potentially affected users then the next time you log in to
Phabricator, you should see a notification directing you to reset your TOTP
auth factor. If you don't see any notice like that then you are not among
those who were potentially affected.

I will post an update here once that is done, in the meantime you don't
need to take any action in particular.

On Fri, Jan 17, 2020 at 11:22 AM RhinosF1 -  wrote:

> What about those that do?
>
> RhinosF1
>
> On Fri, 17 Jan 2020 at 15:51, David Sharpe  wrote:
>
> > There is a team working on the Phabricator 2FA action item right now.
> >  More to come soon…
> >
> > No action is required for people without 2FA configured within
> Phabricator.
> >
> >
> >
> > > On Jan 17, 2020, at 10:25 AM, RhinosF1 -  wrote:
> > >
> > > Can you also confirm we need to take NO action?
> > >
> > > RhinosF1
> > >
> > > On Fri, 17 Jan 2020 at 11:02, revi  wrote:
> > >
> > >> Hi,
> > >>
> > >> If it is possible to do so, can you notify to the people whose 2FA
> were
> > >> reset? I know at least few people who uses 2FA on Phab, and does not
> > read
> > >> emails from wikitech-l and/or wikimedia-l.
> > >>
> > >> Thanks!
> > >>
> > >> 나의 iPhone에서 보냄
> > >>
> > >>> 2020. 1. 17. 06:26, David Sharpe  작성:
> > >>>
> > >>> However, out of an abundance of caution, we are resetting all
> > Two-Factor
> > >> Authentication keys for Phabricator and invalidating the exposed login
> > >> access tokens.
> > >>
> > >>
> > >> ___
> > >> Wikitech-l mailing list
> > >> Wikitech-l@lists.wikimedia.org
> > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> > > ___
> > > Wikitech-l mailing list
> > > Wikitech-l@lists.wikimedia.org
> > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] [3rd parties] FYI Minerva no longer depends on MobileFrontend

[Jon Robson]

Minerva has been available as a desktop skin available on
Special:Preferences for some time, however it has had a hard dependency on
the MobileFrontend extension due to its history - originally being part of
the MobileFrontend extension.

Thanks to much of the work inside Advanced Mobile Contributions

the Minerva skin now has a soft dependency on MobileFrontend and will not
run MobileFrontend code if its not installed.

When operating in this mode, Minerva will operate in a simplified mode that
operates similar to the other skins Vector and Timeless. It will use jQuery
autocomplete for search and the watchstar code that lives in core. Features
such as reference popups, red link confirmation and overlays for talk and
languages will fall back to links.

The code for this change rolls out this week. The new code should only be
triggered on instances where MobileFrontend is not installed so should not
impact any wikis e.g. Wikimedia production.

This mode will not be enabled in any Wikimedia wikis, but my hope is that
it will help improve the skin architecture going into the Desktop
improvements project
which will be targeting the Vector experience.

My hope is this project will allow us to apply the lessons we have learned
in Minerva to more generalised solutions that work on traditional skins as
well and will encourage editors to improve the many  templates that are not
compatible with skins like Minerva and Timeless when they operate in
responsive mode (some of which are slowly being collected in
https://en.wikipedia.org/wiki/Category:Templates_that_are_not_mobile_friendly
).

You can help this effort by installing Minerva on your local wikis and/or
using Minerva as a desktop skin on production wikis where it's available
and reporting bugs as and when you find them. If you haven't used Minerva
skin on desktop in some time, I urge you to give a try. You will likely be
surprised by what you find.

If you are actively developing Wikimedia extensions but do not test
regularly with MobileFrontend, please do add Minerva as one of your test
skins, however please note that MobileFrontend does alter behaviour of all
skins (Vector for example ships additional responsive styles), so testing
on Minerva without MobileFrontend is not a sufficient substitute for
testing on Wikimedia's production wikis.

You can read more about the work that got us here at
https://phabricator.wikimedia.org/T171000

Thanks for your time!
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] [REMINDER] Call for projects and mentors for Google Summer of Code 2020 and Outreachy Round 20 is ongoing!

[Pavithra Eswaramoorthy]

Hello everyone,


TLDR; Wikimedia will soon be applying as a mentoring organization to Google 
Summer of Code 2020 and 
Outreachy Round 20. The application 
submission deadline for GSoC is February 5th, and Outreachy is February 18th. 
We are currently working on a list of interesting project ideas to include in 
the application. If you have some ideas for coding or non-coding (design, 
documentation, translation, outreach, research) projects, share them here: 
https://phabricator.wikimedia.org/T241019.


Timeline

As a mentor, you will be engaging potential candidates in the application 
period – for GSoC between February 20th–March 16th and for Outreachy between 
March 3rd–April 7th. During this time, you will help candidates make small 
contributions to your project and answer any project related queries. You will 
be working more closely with the accepted candidates during the coding period 
between May-August.


Project ideas

We have started compiling a list of projects, that you can take a look at here:

https://www.mediawiki.org/wiki/Google_Summer_of_Code/2020,

https://www.mediawiki.org/wiki/Outreachy/Round_20


If you don’t have an idea in mind and would like to pick one from an existing 
list, check out these projects: 
https://phabricator.wikimedia.org/tag/outreach-programs-projects/


Through GSoC, you can mentor only coding but with Outreachy also non-coding 
projects (including design, translation, outreach, etc.). Last year, 
documentation improvements to over 100 pages related to the MediaWiki Action 
API on MediaWiki.org happened via three GSoC + Outreachy projects.


Some tips for proposing projects

  *   Follow this task description template when you propose a project in 
Phabricator: https://phabricator.wikimedia.org/tag/outreach-programs-projects/. 
Add #Google- Summer-of-Code (2020) or #Outreachy (Round 20) tag to it.

  *   Remember, the project should require an experienced developer ~15 days to 
complete and a newcomer ~3 months.

  *   Each project should have at least 2 mentors, and one of them should hold 
a technical background.

  *   When it comes to picking a project, you could propose one that is:

 *   Relevant for your language community or brings impact to the Wikimedia 
ecosystem in the future.

 *   Welcoming and newcomer-friendly and has a moderate learning curve.

 *   A new idea you are passionate about, there are no deadlines attached 
to it; you always wanted to see it happen but couldn't due to lack of resources 
help!

 *   About developing a standalone tool (possibly hosted on Wikimedia 
Toolforge), with fewer dependencies on Wikimedia's core infrastructure, and 
doesn't necessarily require a specific programming language, etc.


To learn more about the roles and responsibilities of a mentor, visit our 
resources on MediaWiki.org: https://www.mediawiki.org/wiki/Outreachy/Mentors, 
https://www.mediawiki.org/wiki/Google_Summer_of_Code/Mentors.


Cheers,

Pavithra & Srishti

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l