[00:48:25] <anomie>	 tgr: Hmm. https://grafana.wikimedia.org/dashboard/db/authentication-metrics?panelId=9&fullscreen looks worrying at first, but https://en.wikipedia.org/wiki/Special:Log/newusers tells me it's just the graph is broken somehow.
[00:53:10] <legoktm>	 an hour and a half later... https://i.imgur.com/Owg9GVS.png :D
[00:57:33] <tgr>	 anomie: ouch
[00:57:51] <tgr>	 could I have simply forgotten to add that? I don't see any logging code
[00:59:57] <tgr>	 anomie: btw, https://logstash.wikimedia.org/#dashboard/temp/AVU30htfivsygkP39w-o might be AuthManager-related (or not; sure would be nice to have stack traces)
[01:01:34] <anomie>	 Seems unlikely, that function is a hook for APIEditBeforeSave and EditFilterMergedContent hooks.
[01:06:00] <tgr>	 anomie: oh, I'm using authmanager-stats as the channel name for the login/signup events and authmanager for the rest
[01:10:15] <bd808>	 half changed log channels :)
[01:11:10] <tgr>	 the other half of the change would be https://gerrit.wikimedia.org/r/#/c/289775/1/includes/AuthManagerStatsdHandler.php but there it's called authmanager-stats
[01:11:46] <tgr>	 um, authevents
[01:54:59] <tgr>	 the account creation stats don't seem to be recovering :(
[01:55:43] <tgr>	 and for account creation the api stats seem broken as well
[01:56:00] <tgr>	 it's too late for me to try to figure that one out, though
[01:56:41] <tgr>	 the missing index warnings did disappear, at least
[01:57:50] <ori>	 are people actually unable to sign up?
[01:58:00] <ori>	 or is it just that we think the instrumentation is broken somehow?
[02:05:14] <bd808>	 ori: I made an account no problem -- https://en.wikipedia.org/wiki/User:Bd808-test-post-authmanager
[03:43:08] <ori>	 I wonder why the metrics are off, then
[03:52:34] <AaronSchulz>	 TimStarling: any reason why 'revisionsize' triggers setFlag( 'vary-revision' )?
[03:54:06] <TimStarling>	 there's a revisionsize?
[03:54:30] * TimStarling updates
[04:05:15] <AaronSchulz>	 ori: I always hated those, I suspect it's a huge reason for the 35% uncacheable stashes
[04:08:33] <ori>	 maybe revisions expand and contract with changes to humidity and temperature, like wood
[04:08:44] <AaronSchulz>	 stashing REVISIONDAY/REVISIONMONTH could be smarter about the using ttl for those and check alignment...though it would need to know which magic was used (e.g. id/timestamp won't work)
[04:09:47] <AaronSchulz>	 ori: any idea how often 'revisionid' is used? It doesn't seem vary useful to the end-user, though I imagine bizzare uses are spread out everywhere
[04:10:00] * AaronSchulz keeps hearing the "fractal of a bad design" phrase in his head
[04:11:12] <bd808>	 AaronSchulz: I prefer "MediaWiki is all edge cases"
[04:12:32] <ori>	 speaking of fractals and edges, https://en.wikipedia.org/wiki/Coastline_paradox
[04:20:35] <ori>	 AaronSchulz: this often: https://dpaste.de/NfHh/raw
[04:21:02] <ori>	 that's NS 0 across WMF
[04:21:45] <ori>	 most of them are about the feature
[04:27:14] <AaronSchulz>	 ori: https://gerrit.wikimedia.org/r/#/c/293677/1  btw
[04:27:53] <ori>	 what do you want to do about REVISIONID, though? instead of removing it outright, you could convert it into some fixed number or the previous revision's ID
[04:29:17] <AaronSchulz>	 too bad it wasn't just armored and done in post-processing
[04:29:35] <AaronSchulz>	 this would limit what template could do (e.g. using a template based on the ID value), but it could still be displayed
[04:31:24] <ori>	 too bad it was done at all!
[04:36:40] <TimStarling>	 oh ok, there's a revisionsize variable but no CoreParserFunction
[04:37:50] <AaronSchulz>	 } elseif ( $this->ot['wiki'] || $this->mOptions->getIsPreview() ) {
[04:38:03] <TimStarling>	 yeah, it's trying hard
[04:38:21] <TimStarling>	 if it does actually manage to not change after the page is saved, then it doesn't need vary-revision
[04:38:25] <AaronSchulz>	 TimStarling: why does the output type matter? It seems to use null for the prepareContentForEdit() parse
[04:39:29] <TimStarling>	 because {{subst:revisionsize}} is meant to do something in particular, I guess
[04:39:58] <AaronSchulz>	 yeah I'm thinking about subst...which I'm not even sure how that works
[04:40:13] <AaronSchulz>	 maybe it picks a number such that when shown, the final size is correct ;)
[04:41:20] * AaronSchulz stares down the fractals
[04:41:49] <TimStarling>	 you could just have it return mInputSize unconditionally, then it wouldn't need vary-revision
[04:42:06] <TimStarling>	 and it would always be efficient, and editors would be able to understand what it is meant to do
[04:42:09] <AaronSchulz>	 I'm trying to think if that would break anything, but doing that makes stashing work with vary off
[04:42:17] <AaronSchulz>	 which is nice
[04:42:55] <TimStarling>	 I can imagine changing {{REVISIONID}} would break things, but {{REVISIONSIZE}}?
[04:43:09] <TimStarling>	 it's not like we run the parser on the Content-Length header
[04:43:40] <TimStarling>	 Content-Length: {{REVISIONSIZE}}
[04:44:09] <TimStarling>	 Last-Modified: {{#time:r}}
[04:44:34] * AaronSchulz waits for ori to find the user JS proving Tim wrong ;)
[04:55:09] <AaronSchulz>	 https://en.wikipedia.org/w/index.php?title=Special:Search&limit=20&offset=20&ns10=1&search=%7B%7BREVISIONUSER%7D%7D&searchToken=53bqeqruqosxvrqpv2peqnjtz
[04:55:10] <AaronSchulz>	 hehe
[05:54:03] <ori>	 why don't we make the advanced search interface the default interface for Special:Search?
[05:55:27] <ori>	 if you click on the magnifying glass, you get redirected to https://en.wikipedia.org/w/index.php?search=&title=Special%3ASearch&go=Go
[05:55:52] <ori>	 that's not very useful, it's just a bigger input box and a bigger magnifying glass
[06:12:33] <ori>	 easy change, https://gerrit.wikimedia.org/r/293682
[11:17:39] <tgr>	 ori: metrics should be fixed
[11:18:07] <tgr>	 anomie: API account creations are still at zero
[11:18:19] <tgr>	 I guess that just means no one is using the new API yet
[11:18:47] <tgr>	 and trying to use the old one is a parameter error, not an account creation error, and that's not recorded anywhere
[11:19:23] <tgr>	 it would be worth tracking, though, in case some client gets in a loop like it happened in the past
[13:12:08] <anomie>	 tgr: It looks like we're actually getting a fair number of hits to the new action=createaccount. Mobile apps would be my guess. But there's no logging to your 'authmanager' channel in ApiAMCreateAccount, or ApiClientLogin.
[13:12:50] <tgr>	 I'll add that later
[16:26:07] <dr0ptp4kt>	 tgr: bd808 i moved the meeting to about 4 hours from now. did it come through? that time work for you?
[16:26:22] <bd808>	 dr0ptp4kt: yup
[16:33:55] <tgr>	 dr0ptp4kt: bd808: half an hour earlier would be even better if it's all the same for you two, but this time works too
[16:34:23] <dr0ptp4kt>	 tgr: i'll see if i can get other meetings moved cc bd808 
[16:34:34] <bd808>	 I'm open all afternoon so whatever works for the tow of you is fine
[16:34:37] <dr0ptp4kt>	 tgr: ...so that i can move it that 30 minutes earlier
[16:34:38] <bd808>	 *two
[16:34:47] <tgr>	 dr0ptp4kt: do'nt worry about it if it's complicated
[18:05:55] <MaxSem>	 okay, end of days. need to disable mbstring :P
[19:17:08] <ori>	 itshappening.gif
[19:36:34] <ostriches>	 ugh https://gerrit.wikimedia.org/r/#/c/280945/ doesn't backport to 1.27 clean
[19:36:38] <ostriches>	 sadface.gif
[19:46:22] <legoktm>	 anomie, tgr: is $wgGrantPermissionGroups something that extensions should be setting? I'm adding $wgGrantPermissions support to extension.json right now, not sure if I also need to add the groups one
[19:47:19] <tgr>	 ostriches: pretty sure it wouldn't merge clean on master either
[19:47:26] <ostriches>	 Nope :)
[19:47:27] <tgr>	 I was just getting to that
[19:48:38] <tgr>	 legoktm: in the unlikely case that an extension creates a new grant that doesn't fit in any of the existing groups
[19:50:28] <legoktm>	 ok
[19:52:38] <anomie>	 legoktm: Yes, an extension may add entries to $wgGrandPermissionGroups.
[19:59:29] <tgr>	 oh, yeah, anomie us right, any extension that creates a new grant will need that
[19:59:35] <tgr>	 checkuser for example
[20:00:13] <tgr>	 ostriches: gotta run for a meeting, if the backport is urgent, anomie can probably help
[20:01:00] <tgr>	 it's going to have a massive amount of conflicts plus you'd need to grep for all new instances of DisableAuthManager that have been added since that patch was last updated; there are a few
[20:01:50] * anomie starts working on it
[20:04:40] <ostriches>	 The hope had been rc.1 this afternoon
[20:12:41] <legoktm>	 anomie, tgr: thanks, https://gerrit.wikimedia.org/r/293806
[20:21:21] <anomie>	 ostriches: https://gerrit.wikimedia.org/r/293872
[20:23:42] <ostriches>	 +2 on parent, will let jenkins do its thing then will +2 that too
[20:25:05] <ostriches>	 Krinkle: Hiiii https://phabricator.wikimedia.org/T131318#2372793 :)
[20:33:43] <ostriches>	 legoktm: https://gerrit.wikimedia.org/r/#/c/293874/ :)
[20:36:23] <legoktm>	 ostriches: doesn't seem to fix it for me...?
[20:36:56] <legoktm>	 https://paste.fedoraproject.org/377321/55910101/raw/
[20:37:08] <ostriches>	 It finds "Different parameter count: TitleIsCssOrJsPage: Doc: 2 vs. Code: 3" for me
[20:37:11] <ostriches>	 which it didn't before
[20:37:39] <legoktm>	 		Hooks::run( 'TitleIsCssOrJsPage', [ $this, &$isCssOrJsPage ], '1.25' );
[20:38:09] <ostriches>	 Hmm, so it did something
[20:38:10] <legoktm>	 maybe it's interpreting the 1.25 as a parameter? regex is really not one of my strong points :/
[20:38:10] <ostriches>	 Lol
[20:38:21] <ostriches>	 We should use tokenizer
[20:39:25] <legoktm>	 sounds good to me :D
[20:40:49] <ostriches>	 https://gerrit.wikimedia.org/r/#/c/293751/ was trivial, found it earlier
[20:41:30] <legoktm>	 ostriches: need to remove the if ( $sort ) ... :P
[20:42:34] <ostriches>	 one sec
[21:16:25] <ostriches>	 legoktm: We should also fix this thing so it can tell when a hook's been properly deprecated/removed.
[21:16:44] <ostriches>	 "Documented and not found" is fairly useless when it's supposed to be gone :p
[21:38:42] <ori>	 dapatrick: have you seen https://www.helpnetsecurity.com/2016/06/10/mozilla-will-fund-code-audits/ ?
[21:39:02] <Reedy>	 ori: Anyone can edit wikipedia. Can have money?
[21:39:23] <ostriches>	 legoktm: Ugh, playing with tokens is a rabbit hole :p
[21:39:38] <ori>	 tl;dr: Mozilla will pay for a professional security firm to audit the codebase and will help implementing fixes
[21:39:42] <ori>	 "Projects that want Mozilla’s help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if the software is commonly used and is vital to the continued functioning of the Internet or the Web."
[21:39:52] <ori>	 I think MediaWiki qualifies
[21:51:54] <legoktm>	 ostriches: if the hook was removed, the docs should be too :P
[21:53:09] <ostriches>	 Probably :p
[21:53:53] <Reedy>	 ori: Must be worth a punt
[21:54:01] <ori>	 yeah
[21:56:39] <Reedy>	 Phile a security team ish task?
[21:57:12] <Reedy>	 Actually, I will
[21:57:56] <ori>	 <3
[21:58:14] <Reedy>	 I could just fill out the google doc too
[21:58:25] <Reedy>	 One step at a time, give something to point people at
[22:00:39] * ori points people at Reedy
[22:01:39] <Reedy>	 Project website: *
[22:01:39] <Reedy>	 This needs to be somewhere we can obtain the source code.
[22:01:42] * Reedy squints
[22:04:19] <Reedy>	 "Has the project had a security source code audit before? If so, when and how extensively? *"
[22:04:30] <Reedy>	 I think we have, ish?
[22:07:39] <legoktm>	 there was one last year?
[22:08:37] <Reedy>	 I found https://www.mediawiki.org/wiki/Security_auditing_and_response
[22:09:06] <Reedy>	 https://phabricator.wikimedia.org/tag/security-reviews/
[22:09:32] <Reedy>	 I suspect it's not a big issue
[22:10:22] <legoktm>	 Reedy: https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Check/iSEC_Assessment_2014
[22:10:26] <Reedy>	 <3
[22:12:05] <Reedy>	 Submitted
[22:17:17] <ostriches>	 Hmm https://phabricator.wikimedia.org/project/view/1261/
[22:17:44] <ostriches>	 1 maybe fixed, 1 backported (but open until release), 1 installer bug, 1 maint script bug, 1 tracking issue.
[22:18:06] <ostriches>	 MaxSem: You almost got a patch for mbstring fun?
[22:18:30] <MaxSem>	 ostriches, in progress
[22:19:32] <ostriches>	 Thx!
[22:29:42] <dapatrick>	 ori, Reedy: I did see it, yes.
[22:30:22] <Krinkle>	 ostriches: I'll check it out on Sunday or first thing Monday.
[22:30:48] <ostriches>	 Ok thx
[22:31:21] <ostriches>	 Ok, if we get a patch in for the installer I think that can make an rc.1
[22:31:25] <dapatrick>	 Reedy, you submitted MediaWiki for this MOSS program?
[22:31:34] <Reedy>	 Yup :)
[22:32:31] <dapatrick>	 Do you have a copy of your form submission?
[22:33:06] <Reedy>	 I can get one
[22:33:07] <Reedy>	 And I can edit it
[22:34:39] <dapatrick>	 Reedy, Did you happen to run it by Legal (who's supported prior audit activity) or anyone else on any other teams?
[22:35:06] <Reedy>	 Nope
[22:35:19] <Reedy>	 Well, the perf team (ala ori) agreed on the idea
[22:35:31] <Reedy>	 Not sure it matters too much about legal, unless they're targetting Wikipedia et al
[22:35:42] <Reedy>	 MW code is free for anyone to access
[22:37:18] <Reedy>	 Can't stop them doing it on their own installs
[22:39:13] <dapatrick>	 Reedy Right. I'm aware.
[22:53:52] <ori>	 err, I supported filing a task with the security team
[22:54:01] <ori>	 not submitting it without their review
[23:18:10] <ostriches>	 I don't see a need in an rc.1 today :\
[23:18:19] <ostriches>	 It's already going on 5pm on the west coast.
[23:18:24] <ostriches>	 Who's gonna really use it over the weekend?
[23:19:07] <MaxSem>	 NURDS!
[23:26:55] <ostriches>	 peace out nurds, i'm gonna start my weekend.
[23:28:05] <legoktm>	 ostriches: I would have :P
[23:28:09] <legoktm>	 enjoy your weekend though :)
[23:28:35] <ostriches>	 There's branches 😁
[23:28:42] <ostriches>	 I could tag it I suppose
[23:28:47] <ostriches>	 Compromise?
[23:29:23] <legoktm>	 nah, the debian thing is set up to auto-download tarballs from releases.wm.o. don't worry about it, monday is fine :) it would just have shut up a bunch of warnings
[23:30:27] <ostriches>	 https://phabricator.wikimedia.org/T137564 would also make life easier
[23:31:24] <legoktm>	 I could look into that over the weekend
[23:31:45] <legoktm>	 but I wonder how much that will screw with people's installs that are already using git and have repos checked out into those paths
[23:31:53] <ostriches>	 Ouch, possibly
[23:31:55] <ostriches>	 This is true
[23:32:29] <ostriches>	 Anyway, weekend
[23:32:32] <ostriches>	 adios
[23:32:45] <legoktm>	 o/