Re: [Wikitech-l] Upgrading to 1.23

2014-06-18 Thread krinklem...@gmail.com 
On 13 Jun 2014, at 01:28, MZMcBride  wrote:

> [..] companies put wikis on an intranet is that sysadmins don't
> trust large PHP applications (with good reason). Plus, when you're running
> a particularly old version of MediaWiki, many of the newer security
> vulnerabilities are irrelevant as they rely on code paths that didn't
> exist previously. For example, the XSS vulnerability in the info action
> wouldn't affect a wiki running 1.15.3, nor would a vulnerability in
> Special:Upload that was introduced in September 2009, assuming 1.15 was
> branched in March 2009, as mediawiki.org's "Branch points" page states.
> 
> That said, MediaWiki maintainers should absolutely try to keep up to date,
> but it's annoying to do. One of my old wikis is running 1.12.0 still. :-)
> Upgrading MediaWiki core and its extensions is tedious and it's not
> totally unreasonable for people to want to stick with what works.
> 

And that's why we still have IE 6 and IE 7 :-)

-- Krinkle


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Upgrading to 1.23

2014-06-12 Thread MZMcBride 
Chris Steipp wrote:
>On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J 
>wrote:
>> 4.   General security vulnerabilities. - I would love to have any
>>specifics here.
>
>You can start with
>https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3=creati
>on_ts&f4=resolution&list_id=321311&o1=changedfrom&o2=equals&o3=greaterthan
>&o4=equals&query_format=advanced&v1=Security&v2=MediaWiki&v3=2011&v4=FIXED
>
>That's 55 reasons to upgrade :). CVE-2014-1610 is a compelling one for
>many installs.

Hmm, probably not quite 55 reasons. The original e-mail said that it was
an internal wiki running 1.15.3. Internal is somewhat ambiguous, but if
the wiki is on an intranet, most of the security issues are... not very
severe. There's usually a presumption that people on an intranet are
trusted. If there are untrusted users on the intranet, you probably have a
lot larger problems than your MediaWiki installation. Of course part of
the reason that companies put wikis on an intranet is that sysadmins don't
trust large PHP applications (with good reason). Plus, when you're running
a particularly old version of MediaWiki, many of the newer security
vulnerabilities are irrelevant as they rely on code paths that didn't
exist previously. For example, the XSS vulnerability in the info action
wouldn't affect a wiki running 1.15.3, nor would a vulnerability in
Special:Upload that was introduced in September 2009, assuming 1.15 was
branched in March 2009, as mediawiki.org's "Branch points" page states.

That said, MediaWiki maintainers should absolutely try to keep up to date,
but it's annoying to do. One of my old wikis is running 1.12.0 still. :-)
Upgrading MediaWiki core and its extensions is tedious and it's not
totally unreasonable for people to want to stick with what works.

MZMcBride



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Upgrading to 1.23

2014-06-12 Thread Chris Steipp 
On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J  wrote:
> 4.   General security vulnerabilities. - I would love to have any 
> specifics here.

You can start with
https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3=creation_ts&f4=resolution&list_id=321311&o1=changedfrom&o2=equals&o3=greaterthan&o4=equals&query_format=advanced&v1=Security&v2=MediaWiki&v3=2011&v4=FIXED

That's 55 reasons to upgrade :). CVE-2014-1610 is a compelling one for
many installs.

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Upgrading to 1.23

2014-06-12 Thread Federico Leva (Nemo) 
Thanks for the question. I tried to summarise in one line the single 
most compelling reason to upgrade to each recent MediaWiki release at 
.
More detailed "selling points" are in the wiki pages about each release 
and in bugzilla. What's convincing varies a lot depending on people; 
good luck, and let us know (e.g. on talk page) what convinced your 
management!


Nemo

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Upgrading to 1.23

2014-06-12 Thread Beebe, Mary J 
We have several internal wikis that we maintain.  We write extensions to these 
wikis.  We are trying to convince management to upgrade our mediaWiki version 
to 1.23.x.  At the same time we will upgrade our PHP version from 5.2.8 to 
5.4.x.  We have kept our PHP version to 5.2 because of the old mediaWiki 
version.

We are currently at mediaWiki 1.15.3.  As developers we know that we are way 
overdue on upgrading, but no one has ever wanted to pay for it.

Some of the obvious things are:

1.   Both the Media wiki version  and the php version are no longer 
supported.

2.   We do not have access to the most recent extensions.

3.   Limited documentation for the old versions.

4.   General security vulnerabilities. - I would love to have any specifics 
here.

Does anyone have any other points that I could add that would make management 
say yes?  We have been reading about performance boasts.  Any specifics?

I would also take any links that may be helpful.

Thanks,

Mary

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l