[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
RazShuty added a comment. Resolved by email: F18096951: Screen Shot 2018-05-09 at 12.45.27.pngTASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: RazShutyCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
RazShuty added a comment. Hey @Reedy, May I ask for a resolution for this ticket? we have our release on May 23rd and we are stuck on it... I'm happy that we filed it to T192453: Remove requirement for security review of well maintained third party libraries, but we really need to resolve it asap. Thanks, Raz.TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: RazShutyCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
Addshore added a comment. In T191638#4126956, @WMDE-leszek wrote: But in fact it feels more flexible and right (tm) to allow the user library what part of it they want to use etc. To have something graspable, I made a proof of concept of what we might talking about: https://gerrit.wikimedia.org/r/#/c/425820/ +1TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: AddshoreCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
WMDE-leszek added a comment. But in fact it feels more flexible and right (tm) to allow the user library what part of it they want to use etc. To have something graspable, I made a proof of concept of what we might talking about: https://gerrit.wikimedia.org/r/#/c/425820/TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: WMDE-leszekCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
WMDE-leszek added a comment. That would probably have been the right way (tm) of doing things. But it is also not code owned by us. I'm going to try getting .gitattributes to those two libs, although looking at the history, Symfony folks seem to have been removing .gitattributes rather than adding them.TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: WMDE-leszekCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
Reedy added a comment. Isn't that .gitattributes job?TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: ReedyCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
Addshore added a comment. In T191638#4123868, @Pablo-WMDE wrote: @Reedy If it helps we can certainly look into adding validator's /tests to .gitignore - so it does not make it onto disk. Not loading /tests from libraries in the mediawiki-vendor lib should already be done. For wmde controlled repos this is done using a .gitattributes file in the repo root. https://github.com/wmde/WikibaseDataModel/blob/master/.gitattributes#L10 For external libraries we could probably enforce a .gitignore rule always excluding tests from the mediawiki-vendor dir.TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: AddshoreCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
Pablo-WMDE added a comment. @Reedy If it helps we can certainly look into adding validator's /tests to .gitignore - so it does not make it onto disk.TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Pablo-WMDECc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
Reedy added a comment. In T191638#4123735, @Pablo-WMDE wrote: The test files are excluded from class map and should not be reachable by autoloading. Doesn't stop things like happened in T180231 if the files are on disk and accessible. It's a minor concern FWIWTASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: ReedyCc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T191638: Security review of symfony/validator library
Pablo-WMDE added a comment. @Reedy We are not using the translation functionality but rather pass in/through i18n keys and translate them using mediawiki core technology once the occur. The test files are excluded from class map and should not be reachable by autoloading.TASK DETAILhttps://phabricator.wikimedia.org/T191638EMAIL PREFERENCEShttps://phabricator.wikimedia.org/settings/panel/emailpreferences/To: Pablo-WMDECc: Reedy, Aklapper, Pablo-WMDE, Addshore, Jakob_WMDE, RazShuty, Lydia_Pintscher, WMDE-leszek, Lahi, Gq86, Cinemantique, GoranSMilovanovic, QZanden, EBjune, LawExplorer, dpatrick, Luke081515, Wikidata-bugs, aude, JanZerebecki, Darkdadaah, csteipp, Mbch331, Jay8g, Legoktm___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
