[Wikitech-l] Re: [Wikimedia-l] Re: Re: Uplifting the multimedia stack (was: Community Wishlist Survery)
Honestly, I find the "not in the annual plan" thing more damning than the actual issue at hand. The core competency of WMF is supposed to be keeping the site running. WMF does a lot of things, some of them very useful, others less so, but at its core its mission is to keep the site going. Everything else should be secondary to that. It should be obvious that running a 300 TB+ media store servicing 70 billion requests a month requires occasional investment and maintenance And yet, this was not only not in this year's annual plan, it has been ignored in the annual plan for many many years. We didn't get to this state by just 1 year of neglect. Which raises the question - If wmf is not in the business of keeping the Wikimedia sites going, what is it in the business of? On Tue, Jan 11, 2022 at 6:01 AM Kunal Mehta wrote: > Hi, > > On 1/1/22 12:10, Asaf Bartov wrote: > > It seems to me there are *very few* people who could change status quo, > > not much more than a handful: the Foundation's executive leadership (in > > its annual planning work, coming up this first quarter of 2022), and the > > Board of Trustees. > > If the goal is to get paid WMF staff to fix the issues, then you're > correct. However, I do not believe that as a solution is healthy > long-term. The WMF isn't perfect and I don't think it's desirable to > have a huge WMF that tries to do everything and has a monopoly on > technical prioritization. > > The technical stack must be co-owned by volunteers and paid staff from > different orgs at all levels. It's significantly more straightforward > now for trusted volunteers to get NDA/deployment access than it used to > be, there are dedicated training sessions, etc. > > Given that the multimedia stack is neglected and the WMF has given no > indication it intends to work on/fix the problem, we should be > recruiting people outside the WMF's paid staff who are interested in > working on this and give them the necessary access/mentorship to get it > done. Given the amount of work on e.g. T40010[1] to develop an > alternative SVG renderer, I'm sure those people exist. > > Take moving Thumbor to Buster[2] for example. That requires > forward-porting some Debian packages written Python, and then testing in > WMCS that there's no horrible regressions in newer imagemagick, librsvg, > etc. I'm always happy to mentor people w/r to Debian packaging (and have > done so in the past), and there are a decent amount of people in our > community who know Python, and likely others from the Commons community > who would be willing to help with testing and dealing with whatever > fallout. > > So I think the status quo can be changed by just about anyone who is > motivated to do so, not by trying to convince the WMF to change its > prioritization, but just by doing the work. We should be empowering > those people rather than continuing to further entrench a WMF technical > monopoly. > > [1] https://phabricator.wikimedia.org/T40010 > [2] https://phabricator.wikimedia.org/T216815 > > -- Legoktm > ___ > Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org > To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org > https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/ > ___ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
[Wikitech-l] Re: [Wikimedia-l] Re: Re: Uplifting the multimedia stack (was: Community Wishlist Survery)
Hi, On 1/1/22 12:10, Asaf Bartov wrote: It seems to me there are *very few* people who could change status quo, not much more than a handful: the Foundation's executive leadership (in its annual planning work, coming up this first quarter of 2022), and the Board of Trustees. If the goal is to get paid WMF staff to fix the issues, then you're correct. However, I do not believe that as a solution is healthy long-term. The WMF isn't perfect and I don't think it's desirable to have a huge WMF that tries to do everything and has a monopoly on technical prioritization. The technical stack must be co-owned by volunteers and paid staff from different orgs at all levels. It's significantly more straightforward now for trusted volunteers to get NDA/deployment access than it used to be, there are dedicated training sessions, etc. Given that the multimedia stack is neglected and the WMF has given no indication it intends to work on/fix the problem, we should be recruiting people outside the WMF's paid staff who are interested in working on this and give them the necessary access/mentorship to get it done. Given the amount of work on e.g. T40010[1] to develop an alternative SVG renderer, I'm sure those people exist. Take moving Thumbor to Buster[2] for example. That requires forward-porting some Debian packages written Python, and then testing in WMCS that there's no horrible regressions in newer imagemagick, librsvg, etc. I'm always happy to mentor people w/r to Debian packaging (and have done so in the past), and there are a decent amount of people in our community who know Python, and likely others from the Commons community who would be willing to help with testing and dealing with whatever fallout. So I think the status quo can be changed by just about anyone who is motivated to do so, not by trying to convince the WMF to change its prioritization, but just by doing the work. We should be empowering those people rather than continuing to further entrench a WMF technical monopoly. [1] https://phabricator.wikimedia.org/T40010 [2] https://phabricator.wikimedia.org/T216815 -- Legoktm ___ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
[Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.35.5/1.36.3/1.37.1)
Greetings- With the security/maintenance release of MediaWiki 1.35.5/1.36.3/1.37.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: == Dynamic Page List 3/ DPL3 == + (T292351, CVE-2021-41118) - ReDOS in DPL3 https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-8f24-q75c-jhf4 == CheckUser == + (T292795, CVE-2021-46150) - XSS Vulnerability in Special:CheckUserLog https://gerrit.wikimedia.org/r/q/If7cd112e627f47f9aca69b380dde1634bf55f789 == WikibaseMediaInfo == + (T293556, CVE-2021-46146) - Stored XSS via WikibaseMediaInfo caption fields https://gerrit.wikimedia.org/r/q/I58d37fb59f998f5bec4a018bf9da96a777f8ff78 == UniversalLanguageSelector == + (T293749, CVE-2021-46149) - /w/api.php?action=languagesearch denial of service https://gerrit.wikimedia.org/r/q/Ide32704cca578b9aecbce34bdcc0ac25c2a09a4d == SecurePoll == + (T290808, CVE-2021-46148) - Users with no NDA can access confidential information https://gerrit.wikimedia.org/r/q/Ic7510be487a1bf9215de9ae6cf4a26fad96384c9 == Wikibase == + (T294693, CVE-2021-45473) - XSS on page information Wikibase central description https://gerrit.wikimedia.org/r/q/I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d == FileImporter == + (T296605, CVE-2021-45474) - XSS in Special:ImportFile URL https://gerrit.wikimedia.org/r/q/Id1c8910aeac5b452fbabeddab70360765518223e == EntitySchema == + (T296578, CVE-2021-45471) - Globally blocked IPs can edit EntitySchema items https://gerrit.wikimedia.org/r/q/Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9, https://gerrit.wikimedia.org/r/q/Id9af124427bcd1e85301d2140a38bf47bbc5622c == Wikibase == + (T297570, CVE-2021-45472) - XSS in Wikibase using formatter URL https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd The Wikimedia Security Team recommends updating these extensions and/or skins to the current master branch or relevant, supported release branch [2] as soon as possible. Some of the referenced Phabricator tasks above _may_ still be private. Unfortunately, when security issues are reported, sometimes sensitive information is exposed and since Phabricator is historical, we cannot make these tasks public without exposing this sensitive information. If you have any additional questions or concerns regarding this update, please feel free to contact secur...@wikimedia.org or file a security task within Phabricator [3]. Note: The SecurePoll Extension had other enhancements that were related to the security bug [4] but did not address the security concerns directly. See Phabricator [5] for more information. [0] https://lists.wikimedia.org/hyperkitty/list/mediawiki-annou...@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ [1] https://phabricator.wikimedia.org/T292236 [2] https://www.mediawiki.org/wiki/Version_lifecycle [3] https://www.mediawiki.org/wiki/Reporting_security_bugs [4] https://phabricator.wikimedia.org/T290808 [5] https://phabricator.wikimedia.org/T277353___ Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
[Wikitech-l] Re: Regarding Problem in Setting-up development environment .
Try running grunt build manually before npm start. If grunt build doesn't
work, try npx grunt build.
If the issue persists, please use the project-specific issue board which in
this case is https://github.com/WPAFC/afch-rewrite/issues
On Mon, 10 Jan 2022 at 17:44, Ameygupta wrote:
> Hi , I tried hard for setting-up development environment but kept this
> facing this same issue in regularly .
>
>
>
> ERROR:
>
> [
>
> DELL@DESKTOP-CPI6VGS MINGW64 ~/OneDrive/Desktop/git/afch-rewrite
> (master)
>
> $ npm install
>
>
>
> up to date, audited 575 packages in 4s
>
>
>
> 51 packages are looking for funding
>
> run `npm fund` for details
>
>
>
> 4 vulnerabilities (2 moderate, 2 high)
>
>
>
> To address all issues (including breaking changes), run:
>
> npm audit fix --force
>
>
>
> Run `npm audit` for details.
>
>
>
> DELL@DESKTOP-CPI6VGS MINGW64 ~/OneDrive/Desktop/git/afch-rewrite
> (master)
>
> $ npm start
>
>
>
> > afch-rewrite@0.9.1 start
>
> > node server.js
>
>
>
> No file found at build/afch.css; building it with "grunt build"...
>
> 'github\afch-rewrite\node_modules\.bin\' is not recognized as an internal
> or external command,
>
> operable program or batch file.
>
> node:internal/modules/cjs/loader:936
>
> throw err;
>
> ^
>
>
>
> Error: Cannot find module 'C:\Users\DELL\OneDrive\Desktop\grunt\bin\grunt'
>
> at Function.Module._resolveFilename
> (node:internal/modules/cjs/loader:933:15)
>
> at Function.Module._load (node:internal/modules/cjs/loader:778:27)
>
> at Function.executeUserEntryPoint [as runMain]
> (node:internal/modules/run_main:81:12)
>
> at node:internal/main/run_main_module:17:47 {
>
> code: 'MODULE_NOT_FOUND',
>
> requireStack: []
>
> }
>
> The grunt build failed. Check the output, fix any errors, and try again.
>
>
>
>
>
> ]
>
>
>
>
>
> Sent from Mail for
> Windows
>
>
> ___
> Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
> To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
> https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
[Wikitech-l] Regarding Problem in Setting-up development environment .
Hi , I tried hard for setting-up development environment but kept this facing this same issue in regularly . ERROR:[DELL@DESKTOP-CPI6VGS MINGW64 ~/OneDrive/Desktop/git/afch-rewrite (master)$ npm install up to date, audited 575 packages in 4s 51 packages are looking for funding run `npm fund` for details 4 vulnerabilities (2 moderate, 2 high) To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. DELL@DESKTOP-CPI6VGS MINGW64 ~/OneDrive/Desktop/git/afch-rewrite (master)$ npm start > afch-rewrite@0.9.1 start> node server.js No file found at build/afch.css; building it with "grunt build"...'github\afch-rewrite\node_modules\.bin\' is not recognized as an internal or external command,operable program or batch file.node:internal/modules/cjs/loader:936 throw err; ^ Error: Cannot find module 'C:\Users\DELL\OneDrive\Desktop\grunt\bin\grunt' at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15) at Function.Module._load (node:internal/modules/cjs/loader:778:27) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12) at node:internal/main/run_main_module:17:47 { code: 'MODULE_NOT_FOUND', requireStack: []}The grunt build failed. Check the output, fix any errors, and try again. ] Sent from Mail for Windows ___
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-le...@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
