[00:01:58] <phawkes>	 3Phabricator: Tags for security bugs - https://phabricator.wikimedia.org/T1390#24404 (10Liuxinyu970226)
[00:04:48] <andre__>	 done...
[00:08:28] <andre__>	 hmm, so I guess I should file one more test bug in Production Phab to see if it triggers a mail notification to the Pywikibot list...
[00:10:59] <qgil>	 Better now that on Monday, if you have time
[00:11:11] <andre__>	 no, that does NOT work.
[00:11:34] <andre__>	 and my very spontaneous guess is that we changed from noreply@ to no-reply@ at some point IIRC.
[00:12:00] <andre__>	 ...which didn't have a ticket, only a commit. Slight dislike.
[00:12:40] <phawkes>	 3RT-Migration, Bugzilla-Migration: Set up permissions for Phabricator - https://phabricator.wikimedia.org/T39#24422 (10csteipp) >>! In T39#24388, @Aklapper wrote: > @csteipp and/or admins can add currently-still-missing members to the group after account verification.  I added several people based off their comm...
[00:14:09] <phawkes>	 3RT-Migration, Bugzilla-Migration: Set up permissions for Phabricator - https://phabricator.wikimedia.org/T39#24423 (10Aklapper) @csteipp: Thanks, but note that I've also already sent direct emails to those people asking them to verify their accounts after Chad told me that not everybody is on the sec@ mailing l...
[00:28:41] <andre__>	 ^d: Do I remember correctly that you're a mailing list admin for wikibugs-l@lists.wikimedia.org ?
[00:29:05] <andre__>	 could you check if postings are allowed from <no-reply@phabricator.wikimedia.org> (with a hyphen!)?
[00:29:13] <andre__>	 because we changed that from <noreply@phabricator.wikimedia.org> at some point
[00:29:16] <andre__>	 thanks in advance
[00:29:37] <phawkes>	 3Bugzilla-Migration: Default Assigned To lists in Bugzilla must be set up for CC as Herald rules in Phabricator - https://phabricator.wikimedia.org/T496#24431 (10Aklapper) https://phabricator.wikimedia.org/T1391 did **not** successfully deliver the email, not shown [[ https://lists.wikimedia.org/pipermail/pywiki...
[00:35:16] <^d>	 andre__: I am, but the password got changed on me again :\
[00:35:18] <^d>	 Ask Nemo
[00:36:59] <chasemp>	 andre__: it may be a blessing that it discards emails until post migration
[00:37:03] <chasemp>	 seriously
[00:37:20] <^d>	 I really think that spamlist is silly, but hey people like it :)
[00:37:35] <Krenair>	 At one point I was subscribed to it.
[00:37:59] * legoktm finds it useful
[00:38:18] <Krenair>	 And it makes all changes publicly archived automatically. By third parties.
[00:38:37] <^d>	 Then again, people think I'm nuts for actually reading every wikitech-l e-mail :)
[00:40:35] <qgil>	 hi awjr !
[00:40:44] <awjr>	 hi qgil!
[00:40:49] <awjr>	 how's the migration going?
[00:40:51] <qgil>	 awjr, you can switch off Bingle/Bugello 
[00:41:07] <awjr>	 qgil what terrific news :D
[00:41:17] <awjr>	 i'll take care of it in a few minutes
[00:42:53] <qgil>	 no worries  :)
[00:46:14] <legoktm>	 should we will phawkes?
[00:46:49] <^d>	 will it to do what?
[00:48:51] <awjr>	 @_@
[00:49:04] <andre__>	 BUGZILLA IS NOW READ-ONLY.
[00:49:12] <awjr>	 \0/
[00:49:15] <greg-g>	 weee
[00:49:19] <awjr>	 it's a brave new world
[00:49:32] <greg-g>	 alright everyone, you can stop here, this was the point all along, we can now go home, no more work to do!
[00:49:35] * andre__ wonders how many people will not read the banner and complain somehow :)
[00:49:49] <andre__>	 Yeah. We are officially bug-free now!
[00:50:01] <awjr>	 time to push some untested sketchy code to production
[00:50:34] * greg-g ignore awjr and goes to help make dinner
[00:50:47] <^d>	 andre__: Way too many.
[00:50:50] <^d>	 Nobody reads anything :)
[00:51:01] <^d>	 You're going to get a *ton* of "WHERE THE HELL IS BZ?" complaints.
[00:51:39] <chasemp>	 don't you have to burn your mattress to be bug free
[00:51:43] <chasemp>	 and shave your head
[00:51:54] <awjr>	 and use a special powder
[00:52:02] <awjr>	 qgil bugello is disabled
[00:52:19] <awjr>	 oh, i can't mark it resolved in phabricator :-/
[00:52:35] <^d>	 I can't file bugs in BZ anymore!!! :(
[00:52:48] * ^d adds his bugs directly to the database ;-)
[00:53:44] <andre__>	 ^d, yeah, I don't expect anybody to read the banner on top of Bugzilla. Just because there's been a banner for weeks already, just with a different text :-/
[00:53:51] * andre__ should try if <blink> tags still work
[00:53:56] <^d>	 They don't
[00:54:07] <^d>	 webkit doesn't support <blink> or text-decoration:blink
[00:54:13] <andre__>	 oh true, I remember the commit in FF as I follow some of their bugs
[00:54:17] <^d>	 (the latter on purpose. i filed a bug and it got wontfixed)
[00:54:21] <andre__>	 haha
[00:54:24] <qgil>	 awjr, thanks! updated:: https://www.mediawiki.org/wiki/Phabricator/versus_Bugzilla#Timeline
[00:55:06] <^d>	 andre__: Basically the only way to accomplish something like that these days is using JS to toggle visibility back and forth.
[00:55:18] <^d>	 Something something bad usability.
[00:55:50] <chasemp>	 ok ok no blinking, but can they spin?
[00:55:52] <qgil>	 Last Bugzilla report goes to SecurePoll: https://bugzilla.wikimedia.org/show_bug.cgi?id=73681
[00:56:05] <^d>	 chasemp: We've used <marquee> for banners before :D
[00:56:18] <^d>	 (specifically, fundraiser '08 iirc)
[00:56:33] <chasemp>	 long ago I tried a web design biz w/ a friend
[00:56:38] <chasemp>	 we literally had a "can you make it sparkle?"
[00:57:00] <qgil>	 Last non-test comment (I think): https://bugzilla.wikimedia.org/show_bug.cgi?id=38516#c59
[00:57:26] <qgil>	 00:43 UTC  heh
[00:57:30] <^d>	 chasemp: Appropriate. http://theoatmeal.com/comics/design_hell
[00:57:53] <chasemp>	 ...yes
[00:58:11] <chasemp>	 it was a line of jewelry from the philippines 
[00:58:24] <chasemp>	 which means only kids or in this case kid-in-laws speak english
[00:59:50] <chasemp>	 test comment or not
[00:59:56] <chasemp>	 I'm taking the last comment cake https://bugzilla.wikimedia.org/show_bug.cgi?id=72256
[01:00:38] <^d>	 boo, I tried to respond and steal your thunder but it wouldn't let me :(
[01:14:52] <qgil>	 qchris did his part as well, great
[01:16:05] <chasemp>	 qgil: fwiw I consolidated my identities
[01:16:06] <chasemp>	 https://secure.phabricator.com/p/chasemp/
[01:17:40] <superm401>	 qgil, why are we telling people they can only report emergency bugs at the support desk?  That basically means if you have a valid, non-emergency bug, you have nowhere to report it.
[01:17:44] <superm401>	 Which means there's a good chance it will be lost.
[01:17:55] <superm401>	 I think if we just let people report anything at support desk, it should be manageable.
[01:18:06] <^demon|away>	 Support desk or brand new irc channel that none of us are idling in, I'm sure.
[01:18:35] <^demon|away>	 support desk has atrocious monitoring by devs, fwiw. ops probably aren't even aware it exists :)
[01:18:41] <superm401>	 Yeah, I'm not really sure why it mentions the IRC channel either.
[01:18:49] <superm401>	 ^demon|away, yeah, I know, but this is kind of an exceptional circumstance.
[01:18:58] <superm401>	 And it only requires a one-time walk-through after Phabricator is back up.
[01:19:01] <qgil>	 superm401, I didn't want to overwhelm support desk
[01:19:36] <superm401>	 Alright, you've got my opinion. :)
[01:20:01] <qgil>	 well, now it's too late  :)  we have been discussing all this weeks ago. It's fine. People willing to post something will post something, even if it's in en.wiki village pump
[01:20:36] <qgil>	 now, migration. and some sleep.
[01:20:44] <^demon|away>	 (I've wanted to kill the support desk on mw.org for ages. I think it's disingenuous to users who are actually looking for support)
[01:29:26] <legoktm>	 people should report bugs in -tech
[01:34:43] <spagewmf>	 it's the final countdown. Da-da-da-daaaaa
[01:34:59] <spagewmf>	 hope it goes well
[06:21:04] <qgil>	 mornin'
[08:45:44] <valhallasw`cloud>	 'lo qgil 
[08:45:57] <qgil>	 hi valhallasw`cloud !
[08:46:02] <valhallasw`cloud>	 I suppose phawkes is silent because https is redirecting, so that works at least :-p
[08:46:26] <qgil>	 :)
[08:46:44] <qgil>	 indeed, otherwise this chatroom would have exploded
[08:47:11] <valhallasw`cloud>	 well, mainly #wikimedia-dev, I suppose
[08:47:20] <qgil>	 oh yes
[08:50:37] <valhallasw`cloud>	 qgil: most links under https://www.mediawiki.org/wiki/Phabricator/versus_Bugzilla refer to phabricator :/
[08:50:48] <valhallasw`cloud>	 err, https://www.mediawiki.org/wiki/Phabricator/versus_Bugzilla#Timeline
[08:50:57] <qgil>	 sure, but what can we do
[08:51:46] <valhallasw`cloud>	 not much :-p
[08:51:56] <valhallasw`cloud>	 unless someone thought of mirroring them somewhere
[08:54:26] <qgil>	 it's ok, they are tasks just telling details. We are not touching them during the migration.
[12:53:01] <qgil>	 grrr another little mistake. 21.1 hours in total, 14h left, and now I really think I got it.........
[13:23:34] <andre__>	 well, to make clear, those numbers only refer to importing tickets.
[20:58:37] <qgil_>	 hey, reviews for https://gerrit.wikimedia.org/r/#/c/174335/ are welcome, even better if someone brings a +2
[20:59:46] <qgil_>	 twentyafterfour, ^^^^ in  case it helps. I have added bd808 and ^d -- but I don't know whether they can help.
[21:00:19] <twentyafterfour>	 qgil_: thanks!
[21:10:16] <bd808>	 Won't chase merge and deploy that when you are ready? /me has no puppet +2
[21:11:44] <chasemp>	 I can merge and deploy
[21:11:54] <chasemp>	 if someone can give it a dev look
[21:12:01] <chasemp>	 as in mine would be a rubber stamp
[21:35:06] <bd808>	 twentyafterfour: How legit do you want me to be in the code review of the php? The way you are doing the mysql query makes my skin crawl.
[21:35:21] <bd808>	 http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
[21:36:30] <twentyafterfour>	 bd808: you don't like it because it's not a prepared statement?
[21:37:03] <bd808>	 I don't like string substitution or concat to build an sql statement
[21:37:24] <twentyafterfour>	 bd808: generally agree with you
[21:37:46] <twentyafterfour>	 but what goes into the string is not in any way likely to be sql injected
[21:38:05] <twentyafterfour>	 it's insured to be just a number though I guess I could check that more explicitly
[21:38:42] <bd808>	 It's not ensured to be anything from the patterns I see with (.*) in them
[21:39:36] <twentyafterfour>	 bd808: the only ones used as a replacement in the query are the first two
[21:39:47] <twentyafterfour>	 "pattern": "(bugs|bugzilla).wikimedia.org/show_bug.cgi\\?id=([0-9]+)",
[21:39:59] <twentyafterfour>	 and
[21:40:01] <twentyafterfour>	    "pattern": "(bugs|bugzilla).wikimedia.org/([0-9]+)",
[21:40:35] <bd808>	 But... the code doesn't control the config and there's no way to put a comment in the json warning against feeding crap to the class.
[21:40:48] <bd808>	 and eve if there was that's not secure
[21:41:14] <twentyafterfour>	 well what if the code checks explicitly that the value is just a number?
[21:41:23] <twentyafterfour>	 before building the sql..
[21:41:31] <bd808>	 That would be better for sure
[21:42:25] <twentyafterfour>	 honestly I never once even though about sql injection simply because everywhere it's supposed to be just a number. and I never expect that config to change in the future
[21:42:41] <twentyafterfour>	 but shit happens ;)
[21:42:45] <twentyafterfour>	 so I'll add a check
[21:42:48] <bd808>	 And that's how data breaches start :)
[21:43:13] <twentyafterfour>	 fwiw the mysql credentials this thing is using can't access much
[21:43:24] <twentyafterfour>	 minimum necessary access
[21:43:32] <bd808>	 which is good. defense in depth
[22:25:05] <chasemp>	 yes this script is using RO creds fyi
[22:25:13] <chasemp>	 limited to only one table :)
[22:26:54] <hashar>	 qgil_ andre__  chasemp twentyafterfour: my best wishes for the migration!
[22:56:34] <chasemp>	 andre__: 
[22:56:36] <chasemp>	 I have T40 printed
[22:56:44] <chasemp>	 if you guys want to talk about it in that diff
[22:56:47] <chasemp>	 but where to put it?
[22:56:50] <chasemp>	 (PDF)
[22:57:03] <andre__>	 Personally I don't want to :)
[22:57:08] <andre__>	 Nemo could have commented on T40.
[22:58:08] <twentyafterfour>	 bd808: updated to use prepared statements
[22:58:31] <bd808>	 <3. I'll give it another look
[23:03:35] <bd808>	 twentyafterfour: Does having the single quotes in the template sql and binding values as strings work right? I think the prepare call will not see the params if they are quoted in the source string.
[23:04:03] <bd808>	 f.fieldIndex='?' vs f.fieldIndex=?
[23:05:37] <legoktm>	 chasemp: hahaha
[23:05:47] <legoktm>	 chasemp: that's ok, I don't care that much :P
[23:06:44] <twentyafterfour>	 bd808: you're right
[23:06:58] <chasemp>	 legoktm: let the record show I offered :D
[23:07:16] <twentyafterfour>	 bd808: fixed and pushed another revision
[23:07:42] <legoktm>	 noted :)
[23:21:59] <^d>	 twentyafterfour: One other thing I just noted. Should we be issuing 301's instead of 302's?
[23:22:20] <^d>	 header("Location:Foo") defaults to 302 unless you specify.
[23:22:54] <^d>	 *noticed
[23:24:27] <twentyafterfour>	 ^d: ok, 301 is probably better, yes
[23:53:48] <twentyafterfour>	 ^d: converted to 301