Requests for security audits of large pieces of code (e.g. a review of extension prior to deployment to the Wikimedia cluster).
Read: https://www.mediawiki.org/wiki/Security/SOP/Application_Security_Reviews
Scrum: https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_Review_Scrum
Part of Security-Team. Workboard is tracked at secscrum.
Thanks so much!
Hi @CDanis , we took a look at this repository found minimal problems, please feel free to move forward with using OpenTelemetry!
Just quickly running semgrep supply-chain against these codebases, it found that wikimedia/service-runner@master had two dependency vulnerabilities with undetermined reachability and that wikimedia/service-template-node@master had two dependency vulnerabilities with undetermined reachability and one with confirmed reachability.
I did an initial security assessment of this service from the angle of how great the concern is around the security of the module it replaces (service-runner) and just taking an initial look at the service itself from a security perspective.
Rescinding after checking in with @acooper and clarifying that this was created out of a misunderstanding.
@Aprum is working on an new rapid assessment process that would allow us to unblock this ticket, we are hoping to get this done by next week.
Is there a target date for deployment? We are trying to decide on priority as we are developing a new process that would help us expedite tickets like this in future, but don't yet have it and are working on developing it.
Hey @mpopov when do you need this done by? We're caught a little between developing a new process that would allow us to expedite approvals like this in future, and whether we need to special case high priority tickets for now with the old or interim process which will take time away from developing the new process.
Hi @mmartorana ,
Thank you for taking the time to review this plugin! We're glad to read that it is overall in good shape. We will address the minor issues in the git history during our sprints this quarter.
<threadjack>
The requirement for some WMF team to support new extensions itself seems unnecessary and hypocritical. There are currently 61 extensions at https://www.mediawiki.org/wiki/Developers/Maintainers#MediaWiki_extensions_deployed_at_Wikimedia_Foundation with no documented steward, and probably another dozen that are in some limbo state where a team has nominal responsibility but then declares it as unsupported (like Babel for example). Audiutor (or ChessBrowser, or any of the other volunteer-written extensions that the WMF has refused to install) would be in a situation significantly better, maintenance-wise, than most WMF-run code, in having at least one person who cares.
Hey @mpopov - per the minutes from our recent quarterly review planning session, @acooper was going to follow up on this and a couple other review requests as it relates to acceptance and scheduling.
I agree.
@sbassett As you may have noticed, work on this extension stalled. We had to go the MediaWiki-extensions-Gadgets route for the initial launch, but we are planning to extensionize the code.
<threadjack>
@sbassett: I have folks on my team very eager to use this again for reporting. (I've asked them to pause until it's marked as Approved in ITS' Software Catalog.) Is there an ETA for this review?
This is a placeholder / early request. The development of this extension is only just getting started, so this review is not yet actionable at this time, but we'd like to get in the queue early. We will update this task when we have a clearer idea of when we'd like to deploy to production.
Maryum gave me a link to the previous service runner: https://github.com/wikimedia/service-runner