[17:19:59] <AaronSchulz>	 ostriches: https://gerrit.wikimedia.org/r/#/c/305627/
[17:25:19] <AaronSchulz>	 anomie: I think you are the only one that knows SP: https://gerrit.wikimedia.org/r/#/projects/mediawiki/extensions/SecurePoll,dashboards/default
[17:45:51] <anomie>	 AaronSchulz: TimStarling knows SecurePoll too
[17:46:21] <AaronSchulz>	 anomie: well, he deferred to you for these since he hadn't looked at it in a long time. :)
[17:47:30] <anomie>	 I suspect he looked at it slightly more recently than I did, since I don't think I've looked at it since I wrote that code and he reviewed that code sometime after that ;)
[17:47:36] * anomie will try to look at it
[19:18:28] <AaronSchulz>	 anomie: I added connection/readonly checks
[19:18:44] * AaronSchulz also wonders if the job push() call should be post-commit...though that is pre-existing
[21:47:40] <ostriches>	 anomie: I just saw your e-mail on posting passwords to API, etc. Two things....
[21:48:04] <ostriches>	 One: can this be imposted on the browser too? So you can't do Special:Login?username=foo&password=bar?
[21:48:17] <ostriches>	 And two: Should/can this be backported to like 1.27 maybe since it's LTS?
[22:34:43] <tgr>	 ostriches: if you are thinking about form prefilling, that does not work with password fields
[22:34:54] <ostriches>	 Ah, didn't know ;-)
[22:35:11] <ostriches>	 Does it work with POSTing with it in the query string?
[22:35:38] <ostriches>	 (I mean I guess we can't stop someone from putting their password in a URL, but we could avoid it from actually working so you can't get an idea of if it works just from the response)
[22:35:45] <ostriches>	 Mainly just thinking aloud
[22:36:06] <tgr>	 it would probably work, hard to imagine why someone would do it though
[22:36:27] <tgr>	 logging in programatically via the web for seems a lot harder than via the API
[22:37:47] <tgr>	 we can prevent logins like that, but seems like dont do that then territory to me
[22:38:01] <tgr>	 the API query param thing was actually done by a few bots
[22:47:49] <ostriches>	 ya
[22:49:12] <ostriches>	 What about the 2nd question?
[22:50:42] <greg-g>	 tgr: thanks, btw, for handling that VE+Sentry issue. I appreciate your thoroughness.
[22:51:46] <tgr>	 well, you break it, you fix it :)
[22:51:56] <greg-g>	 yup
[23:12:35] <tgr>	 ostriches: personally I would consider it a new feature, not a bugfix, but that might just be the laziness talking
[23:13:03] <ostriches>	 Yeah it's not really a bugfix, but it's a deprecation that will impact a lot of people
[23:13:07] <ostriches>	 (potentially a lot)
[23:13:21] <ostriches>	 Why I suggested backporting to 1.27. Below that idgafos
[23:13:33] <tgr>	 why backport a deprecation though?
[23:14:09] <tgr>	 all it does is show a warning, Wikipedia should be good enough for awareness-raising amongst bot authors
[23:14:35] <tgr>	 or are you worried that someone only runs their bot on their 1.27 wiki, then switch to 1.31 and it breaks?
[23:15:00] <ostriches>	 Yeah. Some $third_party_wiki has a bot that runs against LTS release(s)
[23:15:17] <ostriches>	 Then they jump to next LTS and it goes from no warming to a breakage.
[23:15:23] <tgr>	 yeah, that makes sense
[23:15:25] <ostriches>	 (considering the warning itself is mostly harmless)