[Wikitech-l] Updated texvc (Math rendering) Debian packages now available

2017-01-20 Thread Legoktm 
Hi,

texvc is a OCaml program that generates PNG images for the Math
extension. Packages for Debian and Ubuntu are now available, please see
 for more
details.

This package is useful regardless of whether you are using the mediawiki
package or not - it allows you to use texvc without needing to install
the full OCaml toolchain to build it manually.

Finally, in the long term the Math extension maintainers would like to
phase out texvc in favor of the mathoid-based code. If you do use texvc
(packaged or not), your comments on
 would be appreciated.

-- Legoktm

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] [SECURITY] Math extension - shell invocation followup

2017-01-20 Thread Legoktm 
Hi,

Somewhat related, in the last MediaWiki security release, the bugs
already have CVE numbers assigned to them. Would it be possible to get
CVE ids for extension security issues in advance as well?

-- Legoktm

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] [SECURITY] CentralAuth - Tokens & apioutput.js

2017-01-20 Thread Chad 
Hi,

This shouldn't affect very many installations as CentralAuth is very
WMF-specific but letting everyone know that a fix for CentralAuth has just
been released.

It allowed user impersonation by a combination of the apioutput.js (used
for api.php output customization) and the central auth cookie.

The bug is: https://phabricator.wikimedia.org/T144573
The gerrit change is: https://gerrit.wikimedia.org/r/#/c/16/

-Chad
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] [SECURITY] Math extension - shell invocation followup

2017-01-20 Thread Chad 
Hi all,

In the process of the previous security release, T124940 was fixed in
core MediaWiki (it deals with unacceptably long shell inputs). There was
also a related fix in Math that I just noticed had never been released--even
thought it was disclosed (with a patch) on the task in question.

It's been published to https://gerrit.wikimedia.org/r/#/c/09/ (for
master)
and is being backported to all supported branches (1.28.x, 1.27.x, 1.23.x)

This isn't an extension we bundle in core MW which explains the oversight.

-Chad
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Map replaces GeoHack on ruwiki

2017-01-20 Thread Tim Landscheidt 
Yuri Astrakhan  wrote:

> Russian Wikipedia just replaced all of their map links in the upper right
> corner (geohack) with the  - Kartographer extension!  Moreover,
> when clicking the link, it also shows the location outline, if that object
> exists in OpenStreetMap, using corresponding Wikidata ID.  My deepest
> respect to my former Interactive Team colleagues and volunteers who have
> made it possible!  (This was community wishlist #21)

> Example - city of Salzburg (click coordinates in the upper right corner, or
> in the infobox):
> https://ru.wikipedia.org/wiki/%D0%97%D0%B0%D0%BB%D1%8C%D1%86%D0%B1%D1%83%D1%80%D0%B3

Very cool, thanks.  As GeoHack still accounts for more than
25 % of Tool Labs's traffic (about 10 requests/s) and is
maintained by three volunteers, I'd encourage other wikis to
follow the example.  (What I especially like about ruwiki's
solution is the superscript "G" link that (for example) di-
rectly opens Google Maps, thus if you are looking for satel-
lite photographs or Street View, you can omit the middleman
GeoHack/Maps.)

Tim


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Discovery Weekly Update for the week starting 2017-01-16

2017-01-20 Thread Chris Koerner 
Hello,
Here are this past week's updates from the Discovery department.

== Highlights ==
* Finalized the second BM25 testing analysis and linked to the pdf here. [0]

==Search ==
* Migrated Phan for CirrusSearch to Jenkins. (technical debt) [1] [2]
* Finished writing up, summarizing, and recommending extensive changes to
TextCat for language identification. [3] Overall improvement to F0.5
accuracy was a mean of just under 5% across the corpora from nine
Wikipedias. The two worst performing corpora, from enwiki and nlwiki, each
went up around 10%! All nine are now above 90% F0.5 score. Next step is to
deploy the recommended changes. [4]
* Completed (a round of) refactoring and cleanup of Special:Search code [5]
[6]

[0] https://www.mediawiki.org/wiki/Discovery_Analysis#Past_analyses
[1] https://www.mediawiki.org/wiki/Continuous_integration/Phan
[2] https://phabricator.wikimedia.org/T153040
[3]
https://www.mediawiki.org/wiki/User:TJones_(WMF)/Notes/TextCat_Improvements#Final_Summary_.26_Recommendations
[4] https://en.wikipedia.org/wiki/F1_score
[5] https://phabricator.wikimedia.org/T150217
[6] https://phabricator.wikimedia.org/T150390



The archive of all past updates can be found on MediaWiki.org:

https://www.mediawiki.org/wiki/Discovery/Status_updates

Interested in getting involved? See tasks marked as "Easy" or "Volunteer
needed" in Phabricator.

[1] https://phabricator.wikimedia.org/maniphest/query/qW51XhCCd8.7/#R
[2] https://phabricator.wikimedia.org/maniphest/query/5KEPuEJh9TPS/#R


Yours,
Chris Koerner
Community Liaison - Discovery
Wikimedia Foundation
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Map replaces GeoHack on ruwiki

2017-01-20 Thread Yuri Astrakhan 
Russian Wikipedia just replaced all of their map links in the upper right
corner (geohack) with the  - Kartographer extension!  Moreover,
when clicking the link, it also shows the location outline, if that object
exists in OpenStreetMap, using corresponding Wikidata ID.  My deepest
respect to my former Interactive Team colleagues and volunteers who have
made it possible!  (This was community wishlist #21)

Example - city of Salzburg (click coordinates in the upper right corner, or
in the infobox):
https://ru.wikipedia.org/wiki/%D0%97%D0%B0%D0%BB%D1%8C%D1%86%D0%B1%D1%83%D1%80%D0%B3
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] SECURITY: Flow security fix to make sure EnableFlow is always attributed

2017-01-20 Thread Matthew Flaschen 

On 01/20/2017 05:02 PM, Matthew Flaschen wrote:

There is a security fix to ensure that EnableFlow is always properly
attributed.

This may be an issue if you see users maliciously using
Special:EnableFlow on pages that already exist.


To clarify, the page already existing is fine.  It's just that users 
were sometimes converting to Flow when it was not appropriate to do so.


Matt

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] SECURITY: Flow security fix to make sure EnableFlow is always attributed

2017-01-20 Thread Matthew Flaschen 
There is a security fix to ensure that EnableFlow is always properly 
attributed.


This may be an issue if you see users maliciously using 
Special:EnableFlow on pages that already exist.


It should be merged shortly, but in the meantime, you can download it 
from Gerrit (https://gerrit.wikimedia.org/r/#/c/01/):


git fetch ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Flow 
refs/changes/01/01/1 && git checkout FETCH_HEAD


Matt Flaschen

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l