#wikimedia-office log

17:32:14 <andre__> #startmeeting IRC Office Hour on Phabricator
17:32:14 <wm-labs-meetbot> Meeting started Tue Jun 17 17:32:14 2014 UTC and is due to finish in 60 minutes.  The chair is andre__. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:32:14 <wm-labs-meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:32:14 <wm-labs-meetbot> The meeting name has been set to 'irc_office_hour_on_phabricator'
17:32:42 <qgil> o?
17:32:46 <qgil> o/ !
17:32:49 <andre__> heh
17:32:53 <andre__> so....
17:32:54 <JohnLewis> :p
17:32:56 <andre__> #info General info: https://www.mediawiki.org/wiki/Phabricator
17:33:21 <andre__> that's where you can find the basics of this. I won't repeat them now, as we've already covered this in previous IRC office hours. I assume you know why you're here. :P
17:33:33 <andre__> #info The high-level migration plan is at https://www.mediawiki.org/wiki/Phabricator/Plan#Migration_plan
17:33:43 <andre__> #info And planning of tasks is done via a board in the Phabricator Labs instance: http://fab.wmflabs.org/project/board/31/
17:33:58 <andre__> Let me quickly introduce the team working on this:
17:34:22 <andre__> chasemp is here for the Operations team
17:34:30 <andre__> and twentyafterfour for Development / Release Management
17:34:50 <andre__> James_F is our proxy for product management, greg-g our proxy for release management
17:34:54 <andre__> and we have more people helping and providing input, like qgil :)
17:35:09 <andre__> so what's currently cooking?
17:35:37 <andre__> twentyafterfour is working on restricting access to certain projects in http://fab.wmflabs.org/T95 , and SUL / OAuth / authentication in http://fab.wmflabs.org/T314
17:36:08 <andre__> (folks, please correct me if I'm wrong or add more info if you feel like)
17:36:12 <chasemp> since it's crickets I guess some inside baseball is ok: http://fab.wmflabs.org/T95#40
17:36:19 <andre__> heh
17:36:29 <andre__> ...and chasemp sorted out the subtasks listed in http://fab.wmflabs.org/T294 to set up the Phabricator instance (see the "Blocked by" list) and is working on them. Configuration stuff.
17:36:30 <chasemp> does anyone know if restricting access to the file attachments has been on the board?
17:36:42 <chasemp> without that I don't think we can move ahead
17:36:45 <chasemp> and I don't see it anywhere
17:37:09 <chasemp> twentyafterfour or qgil?
17:37:38 <andre__> oh yeah, we will need that for attachments in a "restricted" task (related to http://fab.wmflabs.org/T95 )
17:37:40 <chasemp> I'm guessing sensitive bug tickets get sensitive attachments, I know rt is the same
17:37:47 <andre__> but I think it's not explicitly listed in that task yet
17:38:06 <andre__> well, I wrote in T95 "but some attachments and some comments (spam or exposing private information) are also marked as private"
17:38:14 <andre__> twentyafterfour: are you around?
17:38:50 <andre__> chasemp, thanks for explicitly mentioning it again on that ticket
17:39:43 <andre__> hmm, looks like twentyafterfour isn't around. pity. so we'd have to wait for his reply on the ticket...
17:39:58 <chasemp> fwiw I looked upstream at related things
17:40:04 <chasemp> and saw no mention of hidding attachments
17:40:07 <chasemp> so it made me really wonder
17:40:16 <chasemp> as it seems non-trivial in the current scheme
17:41:24 <andre__> Thanks for investigating! I myself can't judge how complex this will be. Would love to get twentyafterfour's comment on that ticket (or later here on IRC when back)
17:42:17 <andre__> Hmm, to quickly continue with what people (well, /me, who is left) are doing:
17:42:33 <andre__> I've been mostly commenting on open tickets in the last days, plus a bit thinking and discussing tougher items
17:42:54 <andre__> For example, data migration from Bugzilla ( http://fab.wmflabs.org/T39 ) will be interesting as we have user accounts and tickets (which is a chicken and egg problem)
17:43:10 <andre__> We also aliases in Bugzilla, and URLs on wikis to Bugzilla buglists (buglist.cgi) and I don't see us trying to preserve really every URL to not break, to be realistic.
17:43:19 <andre__> There are also some bikesheddier topics like how to organize projects and iterations, whether we need a severity field, which task statuses we want etc.  Once I've made up my mind a bit more on those items I'm going to do a public call on wikitech-l for more feedback.
17:43:46 <andre__> So that's my very high-level overview how things are right now.
17:44:13 <andre__> Comments, questions, discussions, more details wanted?
17:45:37 <andre__> ...or maybe we've had so many office hours in the last months that only the "Phabricator migration" team members are left on IRC and you have no questions left? ;)
17:48:01 <chasemp> regarding file permissions
17:48:06 <chasemp> epriestly pointed me to
17:48:07 <chasemp> https://secure.phabricator.com/T4589
17:48:17 <chasemp> that may have to go up on our list
17:49:05 <andre__> uh, definitely yes
17:49:11 <andre__> thanks for finding that and investigating
17:49:18 * andre__ subscribes and adds the Wikimedia project to it
17:49:36 <andre__> I'll also mention that in our http://fab.wmflabs.org/T95
17:51:26 <andre__> No other folks with comments or questions about Phabricator around here? I'm surprised :)
17:51:53 <chasemp> silence is consent in this context?  we must be doing a bangup job
17:52:51 <andre__> consent or disinterest ;)
17:53:20 <andre__> well, maybe at this stage (after deciding to go for Phabricator) people have not that many questions anymore. Might become way more again once we know when it's going to go live
17:53:36 <parent5446> Well if they're disinterested that'll sure change once the move actually happens. :P
17:54:53 <muninn-project> "The Night is Dark and Full of Terrors" etc...
17:55:03 <andre__> parent5446: exactly. probably same with toolserver in two weeks ;)
17:56:16 <qgil_> ref silence, it is probably normal at this point
18:05:24 <twentyafterfour> andre__ I'm here sorry...
18:05:32 <andre__> twentyafterfour, heh, no problem
18:05:41 <twentyafterfour> reading bac klog
18:05:50 <andre__> twentyafterfour, basically http://fab.wmflabs.org/T95#39 (last three comments)
18:06:09 <andre__> but that discussion also takes place in #phabricator a bit, just summarized
18:10:27 <twentyafterfour> wouldn't it be enough to have the task hidden if the files couldn't be easily discovered without access to the task?
18:11:21 <chasemp> not easily discovered won't be enough for the financial data attachments
18:11:32 <andre__> twentyafterfour: but wouldn't that be more like obscurity than security? :-/
18:11:37 <chasemp> epriestly just talked a bit about this in #phabricator
18:11:46 <andre__> (dunno, I'm not a security engineer)
18:11:46 <chasemp> it seems files have object associations
18:11:59 <chasemp> the idea is for a file to be default your viewing only
18:12:06 <chasemp> and then anyone who can view an associated object
18:12:09 <chasemp> can view the file also
18:12:23 <chasemp> so it's all inherited rights other than 'author'
18:12:26 <chasemp> which is cool I think
18:13:07 <chasemp> but that depends on some in-progress work
18:13:18 <chasemp> and the API doesn't currently support security mechanisms on file uploads
18:13:32 <chasemp> he suggested using the api for tickets and then doing something more direct for files
18:13:41 <chasemp> https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionBrowseFileController.php;125b8dad7bb5a06939faa122785c29230439d558$871-877
18:13:43 <twentyafterfour> chasemp: thanks for summarizing
18:14:15 <chasemp> you may be the man to build one-off file upload tool :D
18:14:22 <chasemp> dunno if that's better or extending teh api
18:14:25 <chasemp> but we'll need one of the other
18:15:01 <chasemp> my understanding is files in teh files application are only those could otherwise view also
18:15:07 <chasemp> so it's also based on these restrictions
18:15:24 <chasemp> but yeah this will be a big blocker I guess
18:15:57 <twentyafterfour> So the api is missing file policy support? we would need to add the ability to modify files' policy objects from the api?
18:16:26 <chasemp> so yes to the first question
18:16:37 <chasemp> second one, that or even just set a perms policy for upload
18:16:40 <chasemp> and then we can mass upload
18:16:55 <chasemp> and tehn associate with a ticket (the current file association via api is old and crusty)
18:17:11 <chasemp> seems upload currently has no context for this
18:17:15 <chasemp> via pi
18:17:17 <chasemp> api that is
18:17:32 <twentyafterfour> ok .. I could work on that, can you make a task and assign it to me? maybe even an upstream task would be appropriate
18:17:52 <chasemp> do you have #phabricator logged?
18:17:55 <chasemp> I can send you the convo if not
18:18:02 <chasemp> will make way more sense than my brief version
18:18:13 <chasemp> as epriestly is a better explainer of phabricator things :)
18:18:30 <twentyafterfour> yes I have #phabricator
18:19:01 <twentyafterfour> ok I'll read through it  and make the task
18:19:29 <chasemp> convo
18:19:29 <chasemp> http://fab.wmflabs.org/P8
18:19:37 <chasemp> ok cool
18:19:43 <chasemp> yeah I can make the task no problem
18:19:47 <chasemp> just unsure of which task to make
18:20:43 <twentyafterfour> I think improving the api is more useful than a one-off tool and probably not more difficult
18:20:57 <chasemp> understood, that was kind of my thought but
18:21:03 <chasemp> if I'm not doing it, whatever works is cool with me
18:21:09 <chasemp> certainly it would be more useful gonig forward
18:22:27 <andre__> should this be a separate task to tackle in fab.wmflabs.org, potentially blocking T95?
18:22:32 <andre__> just wondering how to keep an overview
18:23:19 <chasemp> honestly the structure of blockers etc there has gotten confusing with the trusted user tool stuff now in the mix there but offloaded to another instance entirely
18:23:41 <chasemp> that was my way of saying, not sure
18:25:49 <twentyafterfour> make a task that says we need secured files, and link to the upstream ticket
18:26:06 <andre__> chasemp, simply ignore the trusted user tool for the time being if things are confusing :)
18:26:08 <twentyafterfour> I have to step away from the computer for a minute, I can make the ticket when I'm back if someone doesn't beat me to it
18:26:14 <andre__> alright
18:26:20 * andre__ also needs to grab dinner soon
18:29:03 <andre__> Alright then, I'm going to close this office hour
18:29:05 <andre__> #endmeeting