[00:42:19] ostriches: does git-review -s work on MobileFrontend for you? It just hangs and fails on 'git remote update gerrit' [00:54:05] omg, core team (RIP) is working on MobileFrontend> [01:35:19] cloning it again just hangs with 0kps [01:35:22] * AaronSchulz sighs [01:46:36] bugs are normally closed when the fix is merged to master, right? [01:48:03] unless the bug specifically is about prod or super urgent, then yes [18:27:33] bd808: yay, stacktraces for exceptions :) [21:11:06] Hey anomie, is there any documentation on the right way to do the form cloner stuff you put into htmlform? [21:12:43] https://phabricator.wikimedia.org/diffusion/ECAU/browse/master/includes/specials/SpecialGlobalUserMerge.php;dc49f64990d3239317a564f48ab2f06a6a0471bd$54 uses it [21:13:49] Thank legoktm... I'll see if I can go backwards from there. [22:06:01] robla: https://github.com/webplatform/mediawiki-conversion -- convert a wiki to a git repo of markdown pages with revision history [22:06:11] a git dump format :) [22:14:19] * robla looks [22:15:54] interesting.... https://github.com/renoirb I was just bringing up W3C earlier today, because I think they have really good note taking discipline [22:16:24] * robla thinks we shoudl get him to the Dev Summit [22:16:35] I'm in a PM with him right now :) [22:17:15] He shows up and asks questions now and then. Ryan use to help him with stuff [22:17:51] bd808: which channels is he on? [22:18:20] -ops -labs -dev and mw [22:53:25] James_F: Do you have a list of all the Editing teams in phab? I.e., if I want to tag a security bug with an editing team, which tags I should chose.. [22:54:30] csteipp: https://phabricator.wikimedia.org/project/profile/70/ [22:55:02] csteipp: But RoanKattouw can explain why the Collaboration team tag is now called "Collaboration-Team-Backlog". [22:55:17] It's because we also have Collaboration-Team-Current [22:55:27] But please put things in -backlog [22:55:36] Maybe we should rename that to Collaboration-Team [22:55:38] *shrug* [22:55:57] James_F: As the PM, would you like me to just tag things with #editing? (except for collaboration stuff)? [22:56:20] Not sure if you want me to tag language, parsing, etc individually.. [22:56:22] csteipp: #Editing will get no visibility, so no. :-) [22:56:29] csteipp: Is this an all-teams issue? [22:56:51] James_F: No, I'm tagging old security bugs with teams I hope will work on them [22:56:55] RoanKattouw: s/rename/un-rename/ :-) [22:57:12] csteipp: Ah. Then please parcel it out to which team you think owns it (or ask me to do so). [23:32:53] I'm still boggling at ori's comment on https://gerrit.wikimedia.org/r/#/c/235670/2/includes/tidy/Html5Depurate.php,unified after a few minutes [23:33:00] the first of those two comments [23:33:54] someone please tell me he is totally right and that is a useful thing to be saying in code review [23:35:52] Do we authenticate to any other internal services other than redis? [23:38:40] the question is whether the client authenticates the server [23:39:15] with redis, if another user steals the unprivileged port, they will immediately see AUTH requests with the password in plaintext [23:39:52] so the client does not authenticate the server in that case [23:40:10] and a local attack can cause a lot of damage that way, by triggering a restart in redis somehow and then stealing the port [23:40:13] same with mysql [23:40:31] pretty much no service is protected against such an attack [23:42:43] but the idea that html5depurate would be the highest value target for such an escalation... [23:43:21] I mean, if you have unprivileged local shell execution, you can just overwrite the user object cache in memcached and make yourself a steward [23:43:35] he is just trolling me, I think [23:43:45] Square does client-auth'ed TLS to all services. But yeah, we're a long ways from that.