[01:54:40] 10MediaWiki-Core-Team, 6Security, 5Patch-For-Review, 7Vuln-XSS: Custom JavaScript may yield privilege escalation - https://phabricator.wikimedia.org/T85855#1237337 (10Verdy_p) Please don't follow the advice given in "LONG TERM SOLUTION". Custom javascripts are useful for many users that want it even if the... [04:14:35] bd808: Kibana / Logstash is insanely slow. Do you know why? Are the new servers expected to help? [04:15:29] answered my own question by looking at the JS console: "Uncaught RangeError: Maximum call stack size exceeded" [04:15:38] so no, not going to get better with more hardware. [04:16:26] Yeah. That's the whole point. :) [04:16:44] Not sure what query your running but the backing elasticsearch cluster is ram starved [04:17:10] It goes into GC thrash all the time [04:17:26] 10MediaWiki-Core-Team, 6Security, 5Patch-For-Review, 7Vuln-XSS: Custom JavaScript may yield privilege escalation - https://phabricator.wikimedia.org/T85855#1237421 (10Parent5446) I'd like to note there are solutions for adding custom JS to sites outside of MediaWiki, e.g., Greasemonkey. Such solutions are... [04:18:29] well, client-side stack exhaustion is just shitty javascript, nothing to do with the servers [04:19:07] how do i search for parsoid log messages from the api outage? [04:19:28] zooming out until the time resolution is wide enough is really slow [04:33:19] * ori figured it out [05:23:27] it's pretty powerful once you get the hang of it [08:39:51] 10MediaWiki-Core-Team, 6Security, 5Patch-For-Review, 7Vuln-XSS: Custom JavaScript may yield privilege escalation - https://phabricator.wikimedia.org/T85855#1237632 (10Verdy_p) "safer"? Not really. There are good arguments for not allowing MediaWiki sites to reference foreign scripts located outside of site... [08:49:34] 10MediaWiki-Core-Team, 6Security, 5Patch-For-Review, 7Vuln-XSS: Custom JavaScript may yield privilege escalation - https://phabricator.wikimedia.org/T85855#1237644 (10Verdy_p) Also the "client-side" proposed "LONG TERM SOLUTION" is not portable across devices (notably because it requires preinstalling the... [09:08:51] 10MediaWiki-Core-Team, 6Security, 5Patch-For-Review, 7Vuln-XSS: Custom JavaScript may yield privilege escalation - https://phabricator.wikimedia.org/T85855#1237673 (10Bawolff) >Please don't follow the advice given in "LONG TERM SOLUTION" As anomie said above, I think we're all aware that doing that would... [14:00:35] jackmcbarn: I see Verdy p is still trolling on [[mw:Extension talk:Scribunto/Lua reference manual]], although he seems to have avoided blatantly crossing the "personal attack" line except perhaps in rev 1627547. [14:10:18] <^d> anomie: https://gerrit.wikimedia.org/r/#/c/206804/4/Math.hooks.php [14:12:00] ^d: Oh no, Paladox. [14:14:33] <^d> I imagine he's trying to cast it. [14:14:46] <^d> But even that (casting a null to an empty array) is kind of freaky :) [14:15:58] The correcy solution would be figuring out why the config global isn't an array in the installer. The extension's entry point should be giving it a sane default value. [14:20:29] <^d> It does ;-) [14:20:52] <^d> Default: [14:20:52] <^d> $wgMathValidModes = array( MW_MATH_PNG, MW_MATH_SOURCE, MW_MATH_MATHML, MW_MATH_MATHJAX ); [14:21:32] <^d> if ( array( MW_MATH_LATEXML), $wgMathValidModes ) { [14:21:38] <^d> Ok, now he's just making things up :) [14:21:42] Paladox seems to mean well, but he seems to have difficulty either in realizing when he's wrong or in accepting corrections. [15:37:59] ^d: https://gerrit.wikimedia.org/r/#/c/206649/ [17:49:13] hello former team [17:51:38] ohai [17:55:04] Core has life membership. We'll hunt you down to fix your bugs long after you're gone... >:) [17:55:30] * csteipp might be in denial. [18:05:35] legoktm: anybody knows when AccountMerge tool will be available? [18:05:37] on #wikimedia-tech [18:07:44] bd808 / csteipp: do you guys know by any chance? [18:07:46] re accountmerge? [18:09:27] thanks, responded [18:15:42] thanks [18:16:10] bd808: apart from the sluggishness kibana is pretty useful, it came in very handy last night [18:16:21] cool [18:16:38] hopefully it will be a bit snappier when we get the new hosts running [18:21:58] Is there a new "reading-infrastructure-team" channel? [18:22:56] dunno [18:23:21] i'm happy to report that the perf team is going to try using #wikimedia-tech for team communication [18:24:06] yay :DD [18:24:47] <^d> I think more teams should stick to existing channels :) [18:34:59] legoktm: Just this channel. [18:36:04] awesome :) [18:45:48] anomie: can you take care of backporting + deploying https://gerrit.wikimedia.org/r/206112 ? [18:46:54] legoktm: For SWAT? I can put it on the schedule for tomorrow morning, or someone else could do it in the evening window. [18:47:10] yeah. I think tomorrow morning should be fine [19:05:11] * anomie gets sick of trying to get actual answers on T88393 and just submits https://gerrit.wikimedia.org/r/#/c/206865/ to see if anyone -1s. [19:37:06] anomie: i don't see anything even close to a personal attack on 1627547. are you sure that's the right revision? [19:40:15] jackmcbarn: "but you only see your own immediate interest", asserting again that I'm acting in bad faith. As I said, "perhaps". [19:42:39] anomie: that's not in that diff [19:43:34] jackmcbarn: D'oh. https://www.mediawiki.org/w/index.php?title=Extension_talk:Scribunto/Lua_reference_manual&diff=next&oldid=1627547, which is actually revision 1627549. [19:43:46] stupid "diff=next" ;) [19:44:56] hmm, yeah, now i see what you mean. i'd say he's hanging by a thread. i'll give him a final warning on his talk page that his next transgression will be a block [19:48:25] legoktm, https://gerrit.wikimedia.org/r/#/c/206881/ [19:48:48] Sounds good, although I'll guess that he'll keep on with writing TL;DR rants based on essential misunderstandings on his part. [20:05:40] AaronSchulz: https://gerrit.wikimedia.org/r/#/c/206886/ [20:09:51] * anomie is inclined to +2 https://gerrit.wikimedia.org/r/#/c/195088/ since no extension that's actually in Gerrit would be broken anymore (there is one that pretends to be in Gerrit but really isn't, so IMO it shouldn't expect special consideration) [20:14:24] legoktm, NOT_REGISTERED? [20:14:27] * AaronSchulz sighs [20:14:36] AaronSchulz: jenkins is restarting [20:16:34] legoktm, https://gerrit.wikimedia.org/r/#/c/206913/1/includes/db/LoadMonitor.php is funny [20:16:42] * AaronSchulz keeps finding stuff in passing to do other stuff [20:19:19] heh [20:23:04] legoktm, https://gerrit.wikimedia.org/r/#/c/206646/ [20:33:16] aude, does anything use CachingSiteStore? where is is constructed? [20:33:27] * AaronSchulz tries to figure were BagOStuff comes from [20:54:21] PlaceOOrigin [21:31:05] legoktm, https://gerrit.wikimedia.org/r/#/c/206962/ trivial helper [21:39:56] AaronSchulz: so by default the WAN cache will use no caching at all? would it make sense to use whatever $wgMainCacheType is by default so people only have to configure one setting to use memcache or apc? [21:40:22] setup.php does that [21:41:09] $wgMainWANCache = CACHE_NONE; [21:41:19] if ( $wgMainWANCache === false ) { [21:41:35] CACHE_NONE is 0 [21:44:15] legoktm, pretty sure <<$wgMainWANCache = CACHE_NONE;>> should be false instead [21:44:34] that was explicit CACHE_NONE is respected [21:44:52] *that way [21:45:02] ah alright. submitting a patch [21:46:02] me too ;) [21:46:20] legoktm, https://gerrit.wikimedia.org/r/#/c/206969/ [21:47:13] pretty sure that commit was first lost messing around with vagrant/git breakage so the second time I did it I was hasty and very annoyed by then [21:47:50] needs docs [22:07:26] legoktm, ammended [22:20:58] is anyone available to help with SecurePoll FDC and Board elections? [22:29:02] TimStarling: what sort of help? [22:29:45] code review, setting up the elections on votewiki/metawiki [22:48:59] TimStarling: sure, put me down. [23:07:42] are all local users now attached to CentralAuth? [23:09:34] Not yet [23:09:56] ok