[18:44:09] <ori>	 TimStarling: the H5dep README.md says it requires maven2, but when I ran `mvn package`, I got: "[INFO] Error resolving version for 'org.apache.maven.plugins:maven-compiler-plugin': Plugin requires Maven version 3.0". I had to uninstall the maven2 package and install maven. This is on Ubuntu 15.04.
[18:57:14] <hashar>	 ori: that is for html5depurate right?  It depends on 'maven' which on both Jessie and Trusty bring in maven 3
[18:57:53] <ori>	 yes, but the README says: Ubuntu build/test dependencies: * openjdk-7-jdk * maven2 * jsvc
[18:57:59] <hashar>	 ah
[18:58:12] <hashar>	 so yeah trust debian/control  ,  should be amended to state maven3
[18:58:19] <ori>	 nod
[19:01:30] <anomie>	 Sigh. Is there any way to tell composer that I really don't want it to try to screw around with extensions/AntiSpoof, no matter that something else's composer.json claims to require it?
[19:07:32] <ori>	 anomie: cf https://phabricator.wikimedia.org/T67188#1509715. You could try running composer with --no-plugins, which should prevent composer-merge-plugin from running, which should in turn stop composer from recursing through something else's composer.json
[19:08:23] <anomie>	 ori: Although that means that the dependencies for the extensions' composer.json wouldn't be installed, which will probably break those extensions.
[19:08:28] <anomie>	 Or will it?
[19:09:03] <ori>	 dunno, I guess it depends
[19:09:03] <hashar>	 iirc some extensions had other extensions listed as dependencies in composer, can it be your problem?
[19:09:42] <hashar>	 it might be a load order problem.   Ie you have  extension A depending on B
[19:09:50] <hashar>	 you have both A and B available
[19:10:11] <hashar>	 maybe composer process A first, resolve B and fetch it from packagist before it had a chance to find the B ext on the local disk
[19:10:12] <ori>	 yes, this is jeroen's fantastically bad idea. bd808 tried to make things better with composer-merge-plugin but I think you can't gloss over two different ways of thinking about composer this way, as jeroen himself seems to have recognized
[19:10:14] <hashar>	 (pure speculation)
[19:10:49] <hashar>	 well we were composer newbies back at that time :D
[19:11:03] <ori>	 (composer-merge-plugin is very useful and we should keep it, don't get me wrong)
[19:11:10] <hashar>	 one idea was that one would download mediawiki then  composer add extension/foo
[19:11:16] <hashar>	 and everything would be sorted out magically
[19:11:49] <hashar>	 eventually legoktm / bd808 found out that resolving deps with composer would not work for us
[19:11:52] <ori>	 yes, it was a bad idea; composer is for installing dependencies, not extensions, which are a different thing
[19:12:00] <hashar>	 and we went with composer-merge-plugin  and the extension registry
[19:12:05] <ori>	 jeroen threw a tantrum
[19:12:17] <hashar>	 so imho, any  composer.json  referencing an extension as a dependency is a bug and they should be removed
[19:12:29] <ori>	 agreed
[19:12:52] <hashar>	 then dont blame Jeroen :)
[19:12:57] <hashar>	 err
[19:13:05] <hashar>	 sorry my english is crap let me rephrase that
[19:13:20] <hashar>	 "I would not blame Jeroen or anyone involved in composer a few years ago" :D
[19:14:22] <hashar>	 actually I am the one to blame for suggesting that back in 2012 ( https://www.mediawiki.org/w/index.php?title=Composer&oldid=743849  )
[19:14:57] <hashar>	 TranslationNotification  require mediawiki/translate 
[19:14:59] <hashar>	 eek
[19:15:31] <ori>	 ahhhhhhhhhhhhhhhhhhhhhhhhhh
[19:15:54] <hashar>	 that version is my last edit on the page
[19:16:13] <hashar>	 that was really a rough experiment
[19:16:37] <hashar>	 then a year or so after, Jeroen stepped in and added composer on most of the repo he managed \o/
[19:17:15] <hashar>	 we need a Chief Operating Historian
[19:18:12] <anomie>	 hashar: In my case, the problem is AbuseFilter requiring mediawiki/anti-spoof
[19:20:20] <hashar>	         "mediawiki/anti-spoof": "dev-master"
[19:20:21] <hashar>	 yeah
[19:20:24] <hashar>	 should be dropped
[19:20:49] <hashar>	 and that dependency expressed in extension.json I think
[19:21:02] <hashar>	 legoktm would know for sure
[19:22:49] <hashar>	 anomie: comes from https://gerrit.wikimedia.org/r/#/c/48836/
[19:22:59] <hashar>	 Feb 2013
[19:24:16] <hashar>	 and 
[19:24:17] <hashar>	 The key of the requires object is the name of the dependency (currently only MediaWiki supported), 
[19:24:22] <hashar>	 from https://www.mediawiki.org/wiki/Manual:Extension_registration#Requirements_.28Dependencies.29
[19:26:28] <SMalyshev>	 is anybody present here who could explain to me how CSRF tokens are working?
[19:28:08] <anomie>	 SMalyshev: Maybe. What exactly do you want to know about them?
[19:28:51] <SMalyshev>	 anomie: well, I understand when I do modifying action via API, I supposed to get a token, right?
[19:28:59] <SMalyshev>	 anomie: and the API to use seems to be https://en.wikipedia.org/w/api.php?action=query&meta=tokens&format=json
[19:29:04] <hashar>	 date -R
[19:29:13] <SMalyshev>	 but every time I call it I receive token of "+\\"
[19:29:28] <anomie>	 SMalyshev: If you get a token of "+\", you're not logged in.
[19:29:30] <SMalyshev>	 so I'm not sure if I'm doing anything wrong or it's supposed to be this way?
[19:29:44] <SMalyshev>	 ahh, ok. So all anonymous edits get the same token>
[19:29:45] <SMalyshev>	 ?
[19:30:17] <anomie>	 Yeah.
[19:30:18] <MatmaRex>	 yeah. there's a task about changing it somewhere.
[19:30:41] <SMalyshev>	 aha, ok. I just wanted to make sure I'm not doing something wrong
[19:31:12] <SMalyshev>	 so any anon edit can just supply token of "+\" and it be fine I understand 
[19:32:32] <anomie>	 T40417 is the task, but it's private.
[19:41:25] <SMalyshev>	 I wonder if it would make sense to vary it at least with time...
[19:56:06] <anomie>	 Wouldn't do very much good, it'd just be ever-so-slightly harder for an attacker to abuse it.
[19:58:21] <SMalyshev>	 still harder than now :)