[00:00:11] <csteipp>	 Yeah, I was trying to figure out exactly what it's doing. Actually, it may just be doing json.load() on what it gets from redis.
[00:00:48] <MatmaRex>	 celery? pickles? i'm getting hungry.
[00:01:16] <csteipp>	 dapatrick: Have you ever seen json.load() exploited? It looks like it can load objects, but I've never played with it much. Not sure if it suffers from the same issues as php unserialize.
[00:01:53] <csteipp>	 Just in the event someone shoves arbitrary json in redis that ores then calls json.load on.
[00:03:22] <legoktm>	 Python's json.load() shouldn't execute anything...
[00:03:53] <dapatrick>	 csteipp: I have not, no. Except for the case that, say, malicious markup has been added to a member and then is used without proper escaping.
[00:04:25] <dapatrick>	 json.load should adhere to the JSON spec (json.org) which does not provide code execution.
[00:04:29] <dapatrick>	 As far as I know.
[00:04:59] <csteipp>	 Cool. I figured it *shouldn't*, but I didn't want to be wrong :)
[00:05:23] <dapatrick>	 It's basically handling an object that has properties, but no methods - instance or static.
[00:17:40] <bd808>	 ori: can you add a gravatar for packagist-admin+mediawiki@wikimedia.org ? That's the account on packagist for MediaWiki
[00:17:41] <tgr>	 bd808: can you review https://gerrit.wikimedia.org/r/#/c/249936/ ? (trivial)
[00:19:04] <bd808>	 tgr: {{done}}
[00:27:09] <ori>	 bd808: who gets those emails?
[00:27:23] <bd808>	 I think I do
[00:27:28] <ori>	 in other words, if i add it to the main wmf gravatar account, will you be able to confirm?
[00:27:28] <bd808>	 an maybe hashar
[00:27:28] <ori>	 cool
[00:27:55] <ori>	 "We've sent an email to packagist-admin+mediawiki@wikimedia.org."
[00:29:00] <bd808>	 hrmmm... not here yet
[00:29:07] * bd808 hits relaod obsessibely
[00:29:14] <bd808>	 *obsessively
[00:31:30] <bd808>	 darn. It's not here which makes me think it won't be coming
[00:31:48] <bd808>	 I wonder if our forwards for that are broken?
[00:33:14] <bd808>	 I do have a couple emails for that account from July, but none since
[00:40:31] <ori>	 i can check the forward settings in the private repo
[00:40:35] <ori>	 if it's defined there
[00:42:06] <TimStarling>	 AaronSchulz: is it possible to use SwiftFileBackend to store files in S3?
[00:43:23] <AaronSchulz>	 TimStarling: no, but there is an S3 backend in the AWS extension
[00:44:16] <AaronSchulz>	 the s3 api SwiftFileBackend uses is the one for temp files if radosgw is being used (though it probably doesn't need to do that anymore since ceph supports swift temp urls now)
[00:44:23] <AaronSchulz>	 *the only s3
[00:45:02] <TimStarling>	 right, thanks
[00:45:57] <ori>	 bd808: packagist-admin should go to you
[00:46:05] <TimStarling>	 I need to set up a little MW instance for a linux user group
[00:46:41] <TimStarling>	 which would be too boring if I didn't do some kind of AWS integration experiment while I'm at it ;)
[00:49:04] <bd808>	 ori: huh. I still haven't gotten a gravatar email. If it ever shows up I'll forward it to you to confirm
[00:49:26] <ori>	 let's try without the +suffix
[00:49:35] <bd808>	 that's the other account
[00:49:41] <bd808>	 we already have it hooked up
[00:49:49] <ori>	 oh, right
[00:50:33] <bd808>	 the + stuff was just because packagist won't let you have two accounts with the same email
[00:52:36] <ori>	 http://i.imgur.com/RR57tXK.png
[00:55:17] <AaronSchulz>	 TimStarling: also, there is an amazon jobqueue afaik and you can use the s3 backend plus ExternalStoreMwstore to put text in amazon...if you really want to have fun ;)
[00:56:16] <bd808>	 ori: mx1001 is bouncing the address
[00:56:41] <bd808>	 "550 Address packagist-admin+mediawiki@wikimedia.org does not exist"
[00:57:15] <bd808>	 In june it worked
[00:57:36] <TimStarling>	 mmm, plenty of fun to be had
[01:00:21] <ori>	 bd808: it depends on some config settings, maybe they got changed: https://wiki.debian.org/Exim#Email_sub-addressing_.28plus-signs_as_in_Gmail.29
[01:01:17] <bd808>	 *nod* I'll file a phab task
[01:02:31] <ori>	 nah, hang on
[01:03:43] <ori>	 ok yeah, phab task
[01:03:50] <ori>	 i looked at the exim config files and they look like ascii art
[01:03:51] <ori>	 not touching that
[01:04:03] <bd808>	 ori: heh. it may never have worked actually. The only emails I have with that address in the To also have the plain address
[01:10:13] <bd808>	 I never learned exim. I was a sendmail m4 champ at some point in the late 90's
[01:20:18] <ori>	 bd808: i tried to get the confirmation address with tcpdump but mx1001 shuts down the connection before the data is received :P
[01:20:53] <bd808>	 Heroic
[01:47:07] <AaronSchulz>	 if only I had mysql 5.6 I could set delayed replication
[01:47:17] <AaronSchulz>	 now that's a really good way to test stuff
[01:47:42] <AaronSchulz>	 sadly not in mariadb yet
[01:54:31] <ori>	 TimStarling: https://grafana.wikimedia.org/dashboard/db/scribunto
[01:55:17] <TimStarling>	 good stuff
[01:55:28] <TimStarling>	 looks like you need the wiki ID though
[01:55:53] <ori>	 yeah
[02:02:14] <ori>	 https://gerrit.wikimedia.org/r/#/c/249945/ adds that
[02:21:18] <TimStarling>	 yeah, do what Aaron says
[02:41:40] <ori>	 I always do
[02:41:46] <ori>	 actually, not always
[02:41:48] <ori>	 but usually
[04:24:53] <ori>	 what is the point of something like https://commons.wikimedia.org/wiki/Module:ForLoop ?
[04:34:06] <legoktm>	 https://commons.wikimedia.org/wiki/Template:For
[04:34:18] <legoktm>	 https://commons.wikimedia.org/w/index.php?title=Template%3AFor&type=revision&diff=161971721&oldid=21258250
[04:35:25] <ori>	 i just figured it'd be easier to use, you know, an actual for loop
[04:35:41] <legoktm>	 https://commons.wikimedia.org/w/index.php?title=Template:Facts/Berlin&action=edit
[04:36:33] <legoktm>	 Someone probably wrote the {{for}} template in ParserFunctions first, and no one has bothered to port things that use it to Lua
[15:26:07] <bd808>	 legoktm: I have 3 PRs for composer-merge-plugin that I think finish out 1.3.0. One is up now and the other two chain on to it
[16:58:17] <ori>	 could you always see commit messages by hovering over sha1 / file entries in github, or is that new?
[16:59:57] <ori>	 http://i.imgur.com/MCHMQMA.png
[17:00:08] <ori>	 kinda handy, if it was there before i hadn't noticed it
[17:03:21] <hoo>	 Think that's been there for a while at least
[17:05:02] <ori>	 hmm, odd!
[17:36:46] <ori>	 ostriches: https://gerrit.wikimedia.org/r/#/c/250044/ :)
[17:38:46] <ostriches>	 We already did that in scap I thought
[17:38:58] <ostriches>	 What was still calling refreshWikiVersionsCDB?
[17:39:32] <ori>	 ostriches: nothing, it's just doc changes really
[17:39:45] <ostriches>	 What's the new refreshWikiversions for?
[17:40:16] <ori>	 oh wait, i linked to the wrong patchset, heh
[17:40:31] <ori>	 though we should discuss that one as well
[17:40:43] <ori>	 so https://gerrit.wikimedia.org/r/#/c/250043/ is the doc changes
[17:40:53] <ori>	 as to what is calling refreshWikiVersionsCDB -- dunno! AFAIK it is always done in scap now
[17:41:13] <ostriches>	 +2 on doc changes
[17:41:19] <ori>	 it was building both cdb and php so it does technically work
[17:41:29] <ori>	 i dropped the 'CDB' from the name and the CDB-building code
[17:41:32] <ostriches>	 (also we're using differential now :))
[17:41:48] <ori>	 oh coooooool!
[17:41:50] <ori>	 can i see?
[17:42:07] <ostriches>	 eg: https://phabricator.wikimedia.org/D17
[17:42:11] <bd808>	 ostriches: I was wanting to talk to you about differential. I should probably send an email to releng
[17:42:21] <ori>	 wanttttttt
[17:42:31] <bd808>	 I want to figure out if you are ready for some more testers
[17:42:46] <ostriches>	 Sure. It's currently best for things that are pretty self-contained.
[17:42:55] <bd808>	 I'm sick of trying to manage code review for composer-merge-plugin on github
[17:43:16] <ori>	 so what do you guys think about keeping refreshWikiVersions ? the fact that it has to be kept in sync with scap is a source of potential bugs, imo
[17:43:16] <bd808>	 I'd like to try and make it work like facebook/hhvm does
[17:43:30] <ostriches>	 ori: That was going to be my next comment :p
[17:43:39] <chasemp>	 bd808: what is the facebook/hhvm model?
[17:43:55] <ori>	 chasemp: a bot automatically imports pull requests into differential
[17:44:01] <bd808>	 ^ that
[17:44:10] <ori>	 and then closes the PR when it gets merged or rejected there
[17:44:13] <chasemp>	 gotcha, ok yeah upstream phab used that for a long time
[17:44:23] <chasemp>	 I think now they just bounce them and say go here 
[17:44:50] <bd808>	 so you get the ease of people starting with github PRs but the sanity of differential for the actual review
[17:45:24] <bd808>	 The facebook bot even picks up force push changes to the orignal PR and updates differential
[17:45:53] <chasemp>	 interesting and dangerous maybe :)
[17:46:48] <bd808>	 I've been driving legoktm mad with PRs that depend on other PRs so I can only show him one at a time for review
[17:47:03] <bd808>	 because github can't do chained PRs
[17:47:27] <chasemp>	 lacking on diff now is CI for sure but if it's all on gh anyway I guess moot point
[17:48:14] <bd808>	 yeah the CI bit I would like to have, but my CI is travis so maybe easier to figure out how to hack
[17:48:24] <bd808>	 maybe not though *shrug*
[17:49:12] <bd808>	 all the tests are just `composer test` so at least it is completely locally testable by the reviewer
[17:49:35] <chasemp>	 harbormaster/drydock beta can basicaly do one thing intelligents and that's call out to soemthing else to run tests
[17:49:45] <chasemp>	 but idk where releng is on the spectrum for wanting to support it
[17:58:03] <bd808>	 travis-ci has so far punted on phab integration -- https://github.com/travis-ci/travis-ci/issues/2143
[17:58:42] <bd808>	 there is at least one guy with a hack though -- https://github.com/travis-ci/travis-ci/issues/2143#issuecomment-62001436
[17:59:43] <bd808>	 and som arcanist wizardry -- https://github.com/zerodiff/traphic
[18:00:24] <chasemp>	 "In hindsight, I should have written these scripts in PHP instead of Bash, but such is life." :)
[18:00:34] <legoktm>	 have you seen cscott's npm-travis integration thing?
[18:01:20] <bd808>	 yeah. it would be pretty much the same deal
[18:02:11] <bd808>	 and the import to differential might be a pretty easy webhook posting from github to a tool in labs
[18:02:16] <chasemp>	 how does travis-ci stay sustainable? do they charge at some threshold?
[18:02:38] <bd808>	 they sell a hosted service for private repos
[18:03:07] <bd808>	 https://travis-ci.com/
[18:05:07] <bd808>	 I think their next step vision is selling as an EC2 "appliance" -- https://enterprise.travis-ci.com/
[18:06:01] <chasemp>	 I mean if you wanted to be really silly you could totally make a local linter that pushed to github and waited before updating diffusion
[18:06:13] <chasemp>	 which is not far off from what ppl are doing
[18:06:28] <chasemp>	 but would at least slide back into the normal flow and make the diff more complete
[18:06:32] <bd808>	 that's what the npm-travis thing legoktm mentioned does
[18:06:58] <bd808>	 OCG uses it from jenkins to post a branch to github and then let travis run tests
[18:07:51] <chasemp>	 oh neat then I didn't see the details of that
[18:08:30] <chasemp>	 curious do you use travis-ci because it's on github and so easy or do you use github becaues it has travis-ci? 
[18:08:47] <bd808>	 for this project, the first one
[18:09:11] <bd808>	 I hosted it on github to try and attract 3rd party devs to give patches
[18:09:22] <bd808>	 which has actually worked to some extent
[18:09:39] <bd808>	 and travis is really *the* CI for public github repos
[18:14:06] <chasemp>	 I've used https://landscape.io/...but it's python specific :)
[18:18:38] <legoktm>	 bd808: merged
[18:19:28] <bd808>	 legoktm: the next one is ready :) https://github.com/wikimedia/composer-merge-plugin/pull/89
[18:20:10] <bd808>	 webflo said he tested it and it did what he was hoping for.