[00:18:28] Fundraising-Backlog: Version control Jenkins config - https://phabricator.wikimedia.org/T154208#2904150 (cwdent) [01:08:48] fr-tech [01:09:38] anyone about? [01:11:01] awight: About? [01:19:49] Reedy: hey! [01:20:03] How's it going? [01:20:35] AndyRussG: Mind if I PM? [01:24:42] o/ [01:25:04] awight: Oh hey. [01:25:10] I just texted you. [01:25:15] heh [01:25:16] Hi! Thx [01:26:28] Based on what K4-713 and I have discussed on fb messenger... It seems this may be a non issue [01:26:49] At least, not worthy of a security deploy [01:28:50] Reedy: pls go ahead [01:28:55] Ah OK I see [01:28:59] heh [01:29:11] I mean, please feel free to pm [01:29:21] Sorry I didn't see your last ping until now [01:29:32] np [01:31:00] Looks like it's been quite the day for fr-tech. Good thing we already finished for December. ;) [01:32:11] K4-713: I guess the hardware was rooting for us [01:34:50] !log disabled thank-you mailer per T154209 [01:34:53] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [01:43:21] awight: What do you want to do about updating? [01:44:08] Reedy: I'll apply your patch, ty much for noticing and the awesome follow-through! [01:44:17] Thank quiddity for finding it :) [01:44:24] /bringing it up [01:44:26] Right, I will [01:47:45] awight: What do you want to do about DonationInterface being over 100 commits behind for SmashPig? [01:48:08] * awight stares at my "right" with urge to correct to "ah, I hadn't caught that" :) [01:48:24] Reedy: I'm re-patching with just the upstream updates, actually [01:48:33] Sad to say, it's much safer that way. [01:48:39] hum. Yeah, probably... [01:48:41] makes sense [01:48:44] How did that happen, anyway? [01:49:31] K4-713: We've been cherry-picking extremely cautiously during Big English [01:49:37] Ah, got it. [01:49:52] That should be a scoreboard thing, actually: record number of commits behind master during Dec [01:49:58] :p [01:50:28] Plenty of time to undo that mess in January. [01:50:46] awight: Can I be doing something more useful than standing by? [01:52:06] sure! I'll have code review for you in one minute. [01:52:28] Fast. [01:52:28] * awight blinks at failure to update library in question... five minutes. [01:52:34] heh [01:52:36] I'm about if you need/want me too :) [01:52:39] Composer was being a dick [01:52:49] Hence letting it just do the symfony updates too [01:52:55] yeah, right! [01:53:08] though, a followup TODO.. [01:53:22] It looks like you figured out our deployment-branch thing, that's cool to see that it wasn't too abnormal. [01:53:23] Many of your other dependancies seem to be out of date based on the constraints [01:53:53] +1, We've been avoiding boat-rocking during December [01:54:02] I don't disagree there [01:54:07] :) [01:54:12] Just another "I noticed...." [01:54:24] I've dug around in it before when DonationInterface got weird with it's vendor repo [01:54:31] So had some idea what was going on [01:55:33] oh, really? I was hoping that we were not weird any more [01:55:39] Like, we were like mediawiki-core [01:55:55] I don't thinik you're too bad [01:56:23] I think elliott fixed up the last round of things that were causing me weird cloning errors [01:56:23] * K4-713 looks slightly disappointed [01:56:24] #deployment /vendor is our release branch and has actually deployed versions... /vendor for #deployment is on #master, which does seem weird in hindsight [01:56:45] K4-713: no, *you're still weird, don't be sad [01:57:39] Well, that's something anyway. [01:57:42] :p [01:58:08] Also around, if I can help at all, btw :) [02:00:19] * awight smiles at gallery of wonderful colleagues [02:06:40] awight: If you're gonna deploy to the normal wikis, give me a ping first :) [02:07:26] * Reedy is currently cleaning his kitchen at 02:07am [02:08:01] Woah. [02:08:26] I was going to start this 8 hours or so ago... Many distractions [02:09:18] Don't type with your hands wet while you're on tin... Some of the water might soak through to the server [02:09:28] Reedy: nope, just the payments cluster. Your kitchen must be sparkling! [02:09:53] I didn't start 8 hours ago :P [02:11:32] I'm pretty sad about what's happening in Composer at the moment. Seems I can't sever the Wikimedia dependency updates from upstream ones, and can't edit the composer.lock file by hand easily cos of the hashing magick. [02:12:13] i was doing php composer.phar update badpackage/badpackage --no-dev [02:12:42] hence leaving the symfony minor bumps [02:13:06] me too, but that was updating the wikimedia/ and coderkungfu/ (forked) deps as well [02:14:23] O_o hold on--it worked just how I wanted this time [02:14:27] lol [02:14:29] fsck computers [02:15:17] Maybe you're one of those sprites that gets near computers and they start behaving deterministically? [02:17:40] really useful when doing tech support [02:17:48] "it wasn't working when I tried before!" [02:18:13] Oh man. That was me when I was an entire I/T department. [02:18:41] (PS1) Awight: Update PHPMailer per T154209 [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329369 [02:18:41] K4-713: on second thought, I'm fine self-reviewing these... but there they go if you feel like blessing. [02:18:41] (PS1) Awight: Update PHPMailer per T154209 [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329370 [02:18:45] That's funny, cos I have exactly the opposite mojo. [02:19:00] haha [02:19:05] I can crash *any* computer/OS, almost immediately upon using the input device [02:19:59] It's some kind of magnetism for the grimmest, most recessed features. [02:20:07] There's a 5.2.19 now? [02:20:18] https://packagist.org/packages/phpmailer/phpmailer#v5.2.19 [02:20:25] Yeah, guess so. [02:21:10] aye [02:21:29] (CR) Katie Horn: [C: 2] Update PHPMailer per T154209 [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329369 (owner: Awight) [02:21:39] (Merged) jenkins-bot: Update PHPMailer per T154209 [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329369 (owner: Awight) [02:22:07] (CR) jerkins-bot: [V: -1] Update PHPMailer per T154209 [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329370 (owner: Awight) [02:22:14] eh [02:22:48] short array syntax... [02:22:59] There's some lovely filth down 'ere... [02:23:07] hargh [02:23:35] That might actually bomb out the server [02:23:40] * awight swoons [02:23:55] k I can fix it with the utility for now [02:28:06] (PS1) Awight: Long array syntax... [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329371 [02:28:15] K4-713: That one could use CR if you're around ^ [02:29:33] (PS2) Awight: Long array syntax... [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329371 [02:29:46] doing [02:30:26] haha I can only hear the one-syllable version of "doing" now that you pointed it out. [02:30:31] :D [02:31:33] Looks like we can't stem the tide of PHP6 for much longer, btw... [02:31:55] (CR) Katie Horn: [C: 2] Long array syntax... [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329371 (owner: Awight) [02:31:59] I think that was top of JGreen's list for next year, anyway, to upgrade the last of the boxes. [02:32:15] Yeah... probably very early next year, too. [02:32:37] (PS1) Awight: PHP5 glitches [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329372 [02:32:46] (CR) jerkins-bot: [V: -1] Long array syntax... [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329371 (owner: Awight) [02:32:54] (CR) Awight: [V: 2 C: 2] PHP5 glitches [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329372 (owner: Awight) [02:33:13] grrr [02:33:15] * awight "yikes"s [02:33:49] (PS1) Awight: Revert "PHP5 glitches" [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329373 [02:34:03] (CR) Awight: [V: 2 C: 2] Revert "PHP5 glitches" [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329373 (owner: Awight) [02:38:00] It's possible that we've been forcing vendor merges since August. [02:38:55] * K4-713 turns very slightly green [02:39:20] Oh dear. Yes that's the case. [02:40:13] (CR) Awight: [V: 2 C: 2] Update PHPMailer per T154209 [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329370 (owner: Awight) [02:40:39] (CR) Awight: [V: 2] Long array syntax... [wikimedia/fundraising/crm/vendor] - https://gerrit.wikimedia.org/r/329371 (owner: Awight) [02:41:07] This might not be okay. [02:41:08] > 00:00:15.249 PHP Parse error: syntax error, unexpected T_USE, expecting T_FUNCTION in phpmailer/phpmailer/get_oauth_token.php on line 37 [02:41:49] * awight grits teeth and carries on [02:43:49] (PS1) Awight: Update PHPMailer: Leap into unknown [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329375 (https://phabricator.wikimedia.org/T154209) [02:43:59] (CR) Awight: [V: 2 C: 2] Update PHPMailer: Leap into unknown [wikimedia/fundraising/crm] (deployment) - https://gerrit.wikimedia.org/r/329375 (https://phabricator.wikimedia.org/T154209) (owner: Awight) [02:46:37] !log update Fundraising CiviCRM from 454679d201ed59c76a3905cf3ad5ee2d14fef93f to 038e166269667e7b1c0e9ef54b06ae79b546c76e [02:46:40] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [02:46:41] o_0 [02:46:57] Reedy: You saw that php 5.5 bit? [02:47:04] hair-raising... [02:47:12] This might not fly [02:47:39] !log reenabling Fundraisin thank-you job [02:47:41] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [02:48:13] fr-tech: Reedy: We're in the clear! Thanks for all the help :D [02:48:24] Yay! [02:49:03] awight: Thanks for the quick patching. [02:50:45] Whew, it sure got messy for such a small bump [02:50:47] awight: Can you update the phab ticket to reflect what we did today, and the follow-up we'll need to do when we're all actually back on duty? [02:50:54] +1, working on that now [02:51:02] Thanks! [02:51:27] awight: Do we want to push the smashpig commits into gerrit, and get them into master so whenever DI gets updated... [02:54:16] Wee! [03:03:02] awight_: Want me to put my patches onto gerrit? [03:03:33] fundraising-tech-ops: upgrade all frack servers to debian/jessie - https://phabricator.wikimedia.org/T146479#2904300 (awight) p:Normal>High I know this was only stalled due to Big English, but I'm increasing priority to reflect my disgruntlement that we're still bypassing some continuous integration... [03:04:27] Reedy: oops! Sorry, I meant to mention your original commiterness on those patches, but got distracted... [03:04:50] Probably no need to submit the alternate patches now, since I've merged the sequels. [03:04:53] Also, they broke their own support [03:04:54] https://github.com/PHPMailer/PHPMailer/blob/master/composer.json#L23 [03:05:08] oh! nastiness. [03:06:09] awight: but smashpig and donationinterface != crm [03:06:54] Reedy: ah! Thanks for pointing that out. [03:07:05] Lemme see where else we might call that mailer class [03:07:34] awight: I think we added it to DI just to email ourselves about Minfraud queries getting super-low. [03:07:37] awight: FailmailLogStream [03:07:54] Can't imagine any other reasons we'd need emails from the payments cluster. [03:08:41] not having access to the CVE is killing me [03:08:56] Reedy: I'll happily accept patches :) [03:09:10] awight: There's 2 on the bug for smashpig [03:09:34] It does seem that we only email ourselves, but it's possible that user-generated content would be included somewhere in the inputs. [03:10:14] Reedy: I read your task terribly, sorry! [03:15:18] awight: It looks like this is pretty handled at this point. Can you text me if you need any CR, or if more things happen? [03:16:06] Reedy: ... and now I see what you were saying about the vast expanse of unmerged patches, cos that makes it difficult to update the Wikimedia composer libs... [03:16:15] K4-713: see ya, thanks for hopping online! [03:16:55] Good luck! I'll be fairly close by... [03:17:23] awight: https://github.com/PHPMailer/PHPMailer/pull/927 for the [] -> array() upstream [03:18:14] Nice one! [03:18:25] There are many more language feature screwups, I'm afraid... [03:18:49] e.g. traits [03:19:20] Lets file an issue about this then [03:19:41] +1 I can do it unless you're on a (2am) roll ;) [03:19:54] 2am? [03:19:57] IT's 03:19 now ;) [03:20:03] aaargh [03:21:29] https://github.com/PHPMailer/PHPMailer/issues/928 [03:22:01] :D thank you [03:22:52] oops I passed you bad info, the traits were actually in a symfony dependency... [03:23:35] does the rest lint with php 5.3? [03:23:55] let's see... [03:23:58] (PS1) Awight: Update PHPMailer per T154209 [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329377 [03:24:53] Reedy: It's clean w/o those short arrays, yes. [03:24:59] oops! [03:25:03] no I'm on php5.6 myself [03:25:08] ok one more minute [03:25:09] * Reedy updates his comment.. [03:25:10] lol [03:25:39] I'm more full of fail than usual, at the moment :) [03:26:45] I did find errors with php 5.3.10 [03:26:53] is there a verbose flag for php -l? [03:27:06] not sure [03:28:15] one file fails lint: ./phpmailer/get_oauth_token.php [03:28:47] I think it is using traits, from another library which is how it evaded my grep -r [03:29:11] https://github.com/PHPMailer/PHPMailer/blob/master/get_oauth_token.php [03:29:18] use BearerAuthorizationTrait; [03:29:42] (PS1) Awight: Update PHPMailer per T154209 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329378 [03:29:45] yep [03:29:46] awight: Fucking ugh [03:29:46] https://github.com/PHPMailer/PHPMailer/issues/924 [03:29:58] We might be doing this again in a few hours [03:30:06] haha I do hope not [03:30:33] omg I see [03:36:36] awight: I'm going to take all the nice things from everyone [03:38:12] That was so bad that it almost feels like a set-up [03:43:37] !log put payments frontends into maintenance mode [03:43:39] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [03:46:36] meh reading https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html I'm going with Hanlon's Razor [03:51:04] shell is hard. [03:52:58] !log disabled Fundraising audit parsers [03:53:00] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [04:13:17] (PS1) Awight: DEPLOYMENT ONLY: Short-circuit everything to disable listeners, per T154209 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329380 [04:13:46] (CR) Awight: [V: 2 C: 2] "Please revert me soon." [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329380 (owner: Awight) [04:15:38] !log disable Fundraising listeners via extraordinary workaround: from f14337880e389f95f791c11ab17dfabf36f5317f to 6b864916a2b09ca30dfa17476dbc0a74b0aa7828 [04:15:40] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [04:19:17] (PS1) Awight: DEPLOYMENT ONLY: fix broken hack :( [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329381 [04:19:27] (CR) Awight: [V: 2 C: 2] DEPLOYMENT ONLY: fix broken hack :( [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329381 (owner: Awight) [04:25:06] should be good until tomorrow. [08:25:02] <_joe_> hey, anyone around? [08:30:56] <_joe_> seriously. I can't believe we've done this. [13:03:50] (PS1) Umherirrender: Fix case of OutputPage::setPageTitle [extensions/FundraiserLandingPage] - https://gerrit.wikimedia.org/r/329467 [16:45:49] (PS1) Cdentinger: Update PHPmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/crm] - https://gerrit.wikimedia.org/r/329497 [16:56:14] (PS1) Cdentinger: Ran composer update [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329498 [16:58:24] (CR) jerkins-bot: [V: -1] Ran composer update [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329498 (owner: Cdentinger) [16:59:18] (PS1) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329499 [17:05:29] wtf [17:05:41] how does the parent patch fail and the child patch not? [17:07:21] (CR) Cdentinger: "recheck" [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329498 (owner: Cdentinger) [17:11:03] oh good it was just a random failure :-\ [17:26:12] cwd: so, in order, -97, -98 and -99? [17:28:12] AndyRussG: heh that's how you know it's winter break [17:28:15] 3 ids in a row [17:28:54] 97 is for crm, 98 and 99 are for donation interface [17:29:08] going to patch smashpig shortly, then aaaaalll the submodules i guess [17:31:56] Ah K :) [17:35:36] cwd: what was that command to update all the git repos in vagrant at once? [17:35:52] i didn't know there was such a command! [17:36:13] Ah K... Lemme check! It did some mw-specific update too [17:49:43] cwd: https://www.mediawiki.org/wiki/MediaWiki-Vagrant#Update_cloned_repos [17:49:51] vagrant git-update [17:50:40] (haven't tried it yet, updating vagrant guest additions still) [18:00:31] fr-tech: Every why hath a wherefore. [18:00:31] -- William Shakespeare, "A Comedy of Errors" [18:00:31] -- discuss. [18:03:37] (PS1) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 [18:11:38] AndyRussG: if all 4 of those patches are sane, i guess the next step is update all the submodules, then all the deployment branches, then deploy all the projects [18:12:55] looks like there's a bunch of stuff needs reverting on SP deployment as well [18:18:09] for some reason adam's patch only affected deployment, not sure why he wouldn't change master first [18:18:34] this is a high risk thing with a ton of surface area to be doing while everyone is gone [18:19:16] cwd: We should take down campaigns then? Also ensure no e-mails are going out? [18:19:28] Ah I think I read campaigns are already down [18:19:35] AndyRussG: yeah payments is in maintenance mode [18:20:25] i guess we could do one project at a time [18:20:56] Yeah CN campaigns are totally down [18:23:46] AndyRussG: well this is a pretty bad situation, gotta get the site back up somehow [18:24:08] the top 4 here are hopefully ok https://gerrit.wikimedia.org/r/#/q/owner:cdentinger%2540wikimedia.org+status:open [18:25:17] cwd: I don't know exactly how e-mails are sent, but I think most urgent is to make sure none are going out, no? [18:25:46] i think it's more about us doing validation on the front end [18:26:03] but updating the lib should suffice [18:26:08] I saw the-wub say he thought maybe some were scheduled to go out today and tomorrow? [18:26:15] oh, those emails, right [18:26:27] Yeah I didn't see if Caitlin responded [18:26:27] i thought you meant the bug we're patching for [18:26:39] No, I mean e-mails that would be sending users to payments [18:26:44] yeah if emails go out with payments down it's gonna be hell of embarrassing [18:26:51] Yeah I think it happened [18:26:58] christ [18:27:02] maybe... a bit.. [18:27:05] Yesterday or something [18:27:40] Do those e-mails go out automatically on a schedule, or do we have to push "send" (or equivalent) for each batch? [18:28:24] not sure, my guess it caitlin has to press a button [18:31:34] eileen1: boo! do you know if a button is pressed for e-mails to go out? [18:31:52] Also, payments is down :( [18:32:05] also invoking... ejegg and XenoRyet.... [18:40:24] AndyRussG: I think payments is supposed to be down? [18:41:05] eileen1: hmmm AFIK cwd|brb has some urgent maintenance patches [18:41:16] something to do with what happened yesterday [18:41:41] I'm trying to get set up to look at them, but it's all codebase that I'm not comfortable enough with [18:41:47] yeah I read from awight a decision to keep them down [18:41:55] until some patches are resolved [18:42:51] eileen1: yep i patched everything, of course we have some composer weirdness [18:44:00] :-) [18:44:47] Ah yeah now I see awight's email that he was leaving everything down [18:51:11] (CR) Eileen: [C: 2] Update PHPmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/crm] - https://gerrit.wikimedia.org/r/329497 (owner: Cdentinger) [18:53:07] (CR) Eileen: [C: 2] "I looked & checked the change was limited to the affected package & nothing looked odd in the .lock file. As an external package I didn't " [wikimedia/fundraising/crm] - https://gerrit.wikimedia.org/r/329497 (owner: Cdentinger) [18:55:10] (Merged) jenkins-bot: Update PHPmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/crm] - https://gerrit.wikimedia.org/r/329497 (owner: Cdentinger) [18:59:33] Sadly I have no idea what's going on with these composer.lock changes, and don't want to get in the way of those who do..... [19:00:16] heh that's just impostor syndrome, no one knows wtf is going on with composer [19:00:55] what i do know is we have several repos where .lock has been hacked on directly instead of changing .json [19:03:46] https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file [19:03:57] "Commit your application's composer.lock (along with composer.json) into version control." [19:04:21] So how did you create these new lock files? update and install? [19:04:36] well they aren't new, just changed [19:05:05] but the .lock files have been changed with no regard for the .json files they are derived from, e.g. one of them didn't even have phpmailer in the json file [19:05:38] imo composer.lock is a total design failure [19:05:40] ouch cwd did I approve that one naively [19:05:53] at least when coupled with keeping vendor in a submodule [19:05:57] Right, just changed... so how did you generate the new ones? [19:06:06] I mean, make the chages/create the patchsets? [19:06:17] edited composer.json, composer update [19:07:38] K I see, so composer update updates composer.lock, and install actually installs stuff (so that's what's run on deployments and in CI), right? [19:07:57] I don't see the composer.json changes here: https://gerrit.wikimedia.org/r/#/c/329498/ [19:08:12] yep exactly, update reads .json and decides what versions to put in .lock based on semver [19:08:31] semver? [19:08:35] AndyRussG: yep that's just a situation where composer.lock has not been kept up to date [19:08:54] rather it has been changed directly instead of changed by composer update [19:09:26] AndyRussG: http://semver.org/ [19:09:46] it's the standard for specifying what version of the libraries you are ok with automatically installing [19:10:02] which is to say trusting the authors to decide what a breaking change is :S [19:10:12] Ah gotcha [19:13:53] wow i notice from that patch that our deployed php-queue is not at the tip of our fork [19:15:07] cwd: dunno if this is relevant, but yesteday awight was talking about how we're actually way behind on a deployment branch, not sure what or wherefor [19:15:35] cwd: so how would one CR these patches? maybe delete composer.lock and run update to see if I get the same result? [19:16:19] AndyRussG: my main worry would be an incidental lib update busting something [19:16:47] which is pretty much impossible to deduce [19:17:05] tests passing is about as good a sign as anything [19:17:47] i guess the alternative is continuing the tradition of hacking composer.lock instead of doing a proper update but i am loath to do so [19:18:16] To know what to smoke test it might be important to see what composer.json changes were? so for https://gerrit.wikimedia.org/r/#/c/329498/ those are in a previous patch? [19:18:44] cwd: by hacking composer.lock, u mean it was changed manually instead of by doing a composer update? [19:18:50] Sounds like a lot of testing on production? [19:18:52] yep exactly [19:19:07] so that patch is just me running composer update against a divergent lock file [19:19:41] And composer.json is at what is should be? [19:19:59] I didn't understand still where/how that happened [19:20:20] that's the $1M question [19:20:34] and the problem with updating .lock instead of .json [19:20:38] it's pandora's box [19:21:19] Mmm now I'm even more lost as to what we're doing.... [19:21:23] ah notice that it updates phpmailer to the right version without the follow on patch [19:21:30] sorry :( [19:21:36] it's a rats nest [19:22:14] Apologies for sticking my nose into stuff I don't have much familiarity with, don't mean to criticize [19:22:16] Apologies for sticking my nose into stuff I don't have much familiarity with, don't mean to criticize [19:22:31] I should look at previous patches from yesterday to figure out what went on? [19:22:53] I meant, where I'm lost is not ur explanations, but the overall scenario [19:22:54] (Abandoned) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329499 (owner: Cdentinger) [19:23:06] i.e., what does the compsoer.lock update have to do with getting payments up? [19:23:17] yeah it's incredibly subtle [19:23:35] basically we want to deploy phpmailer 5.2.21 everywhere [19:23:51] sorry 4 my general lostness, not ur fault at all! [19:24:37] imo composer.lock should not exist [19:25:08] if you want to freeze your deps in time, use git [19:25:10] imo [19:32:27] hmm [19:35:51] (PS2) Cdentinger: Update PHPMailer for CVE-2016-10045 and CVE-2016-10033 [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329498 [20:00:23] rrrg getting a bunch of vagrant errors and warnings after re-enabling fr role: https://tools.wmflabs.org/paste/view/621a9042 [20:00:46] Maybe I should just nuke the whole vagrant dir and start anew [20:00:54] cwd: ^ [20:02:01] hope you have a lot of bandwidth :P [20:07:52] heh yeah unlimited usage happily [20:07:56] mostly works :) [20:08:14] The wifi likes to disconnect randomly tho [20:09:18] cwd: what do u think in view of Caitlin's e-mail? [20:09:34] What would happen if we just turned it on? [20:09:42] Or, alternately, reverted? [20:10:47] I'm happy to +2 patches bureaucratically [20:12:38] AndyRussG: yeah i'm gonna start deploying this stuff soon [20:12:45] we have a revert several changes first [20:13:30] (PS2) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 [20:17:01] (PS3) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 [20:17:17] (CR) jerkins-bot: [V: -1] Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 (owner: Cdentinger) [20:19:28] (PS4) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 [20:33:38] (CR) Cdentinger: [C: 2] Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 (owner: Cdentinger) [20:35:02] (Merged) jenkins-bot: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329502 (owner: Cdentinger) [20:37:03] (PS1) Cdentinger: update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329505 [20:39:11] cwd: ah K I see the smashpig on is thru... So the DI one no longer? [20:39:26] AndyRussG: i don't think we need it, at least right now [20:40:52] K [21:01:58] (PS1) Cdentinger: update libs [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329507 [21:02:25] (Abandoned) Cdentinger: update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329505 (owner: Cdentinger) [21:03:36] (PS2) Cdentinger: update libs [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329507 [21:05:22] i am getting this funny feeling that there's no CI on that repo [21:06:30] (CR) Cdentinger: [V: 2 C: 2] "pretty sure there's no CI on this repo, but tests on parent should suffice" [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329507 (owner: Cdentinger) [21:08:32] cwd: SmashPig is brought in as a CI dependency to other repos? [21:09:08] AndyRussG: this is just the vendor submodule of smashpig [21:09:17] which should get effectively tested with smashpig CI [21:09:23] ...i think [21:13:51] hi fr-tech, just getting up to speed on today's fun [21:15:13] (PS1) Cdentinger: Update vendor submodule for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329508 [21:15:53] ejegg: hi, just about to deploy all the things [21:16:08] cool! [21:16:14] lmk if I can help [21:16:48] ejegg: this look sane to you? https://gerrit.wikimedia.org/r/#/c/329508/ -- there has been much cherry picking around undeployed code today [21:17:53] passes tests, thinking i'll merge that, and update composer stuff in DI [21:18:01] then deploy that and all the smashpigs [21:18:07] cwd that's a whole lot of library updates! [21:18:16] sure is [21:18:31] all our composers are in various states of out-of-sync [21:20:01] just looking at the vendor commit to get a feel for the changes [21:20:58] cool, i rolled the composer and submodule updates into that one commit [21:21:25] DI gets phpmailer but only as a requirement of smashpig so i don't think we have to change anything there [21:21:41] it's already been updated under crm but not deployed yet [21:21:51] cwd we don't want all the dev dependencies checked into the vendor submodule [21:23:14] aah [21:23:20] ok one sec [21:23:58] (PS1) Ejegg: Revert on deployment: gitignore vendor submodule [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329509 [21:24:21] (PS2) Ejegg: Revert on deployment: gitignore vendor directory [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329509 [21:24:42] i think there is too much duplication of efforts between composer and a vendor submodule [21:28:42] (Abandoned) Cdentinger: Update vendor submodule for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329508 (owner: Cdentinger) [21:35:26] Now that it's just a deploy branch thing, I guess there's no real reason to submodule it [21:36:31] just put it in the main repo you mean? [21:37:53] maybe... but for now let's keep it in the submod [21:38:09] ejegg: there's also an undeployed commit on master for that vendor submodule [21:38:24] and no deploy branch to cherry pick to [21:38:46] k, so let's make the next commit on that submodule bring master to what it should be now [21:39:16] and deploy the undeployed thing? [21:39:42] oh look my 50th explosion of conflicts today [21:40:02] oh, let me see what's undeployed [21:40:12] ejegg: should i revert the one where i added the dev deps? [21:40:18] sure [21:40:20] or just ffwd [21:41:06] revert for cleanliness [21:47:17] (PS1) Cdentinger: Revert "update libs" [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329512 [21:50:08] ejegg: no CI on SP vendor right? [21:50:17] ah, right [21:50:57] (PS1) Cdentinger: update phpmailer for CVE [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329513 [21:51:11] ejegg: that one look right? [21:53:15] cwd yep! [21:53:20] (CR) Ejegg: [C: 2] update phpmailer for CVE [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329513 (owner: Cdentinger) [21:53:41] ty [21:53:44] (CR) Ejegg: [V: 2 C: 2] update phpmailer for CVE [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329513 (owner: Cdentinger) [21:53:56] it's sitting on top of the revert also [21:54:06] (CR) Ejegg: [V: 2 C: 2] Revert "update libs" [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329512 (owner: Cdentinger) [21:54:11] thanks [21:55:57] (PS1) Cdentinger: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329514 [21:59:06] (CR) Ejegg: [C: 2] Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329514 (owner: Cdentinger) [21:59:54] (Merged) jenkins-bot: Update phpmailer for CVE-2016-10045 and CVE-2016-10033 [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329514 (owner: Cdentinger) [22:00:00] ejegg: ty! i am now thinking we don't need to update anything in DI because it gets phpmailer as a requirement of smash-pig [22:01:08] cwd yeah, no mail sent there [22:02:05] i don't understand why it installs in DI vendor instead of just SP vendor [22:02:10] especially not from user-controlled addresses [22:02:28] cwd nested vendor dirs would be a headache of duplication [22:02:31] ejegg: yeah, i don't think we send *any* mail like that :-\ [22:02:49] aren't there nested vendors anyway because of submodules? [22:05:32] (PS1) Cdentinger: REVERT "DEPLOYMENT ONLY: Short-circuit everything to disable listeners, per T154209" [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329515 [22:06:20] cwd nope, no nested vendors [22:09:26] ah i get it, only a vendor when SP is standalone [22:11:25] yep! [22:18:24] (PS1) Cdentinger: update composer.lock [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329517 [22:20:19] wait does that mean we deploy SP/master when it is a composer dep, but deployment when standalone?? [22:22:59] * AndyRussG makes googley eyes at the computer screen [22:23:39] wow yeah...that seems scary [22:26:44] (Abandoned) Cdentinger: Update PHPMailer for CVE-2016-10045 and CVE-2016-10033 [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329498 (owner: Cdentinger) [22:33:09] (CR) Cdentinger: [C: 2] REVERT "DEPLOYMENT ONLY: Short-circuit everything to disable listeners, per T154209" [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329515 (owner: Cdentinger) [22:33:48] (Merged) jenkins-bot: REVERT "DEPLOYMENT ONLY: Short-circuit everything to disable listeners, per T154209" [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329515 (owner: Cdentinger) [22:34:39] Re-vagrant is taking its time... [22:35:52] (CR) Cdentinger: [C: 2] update composer.lock [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329517 (owner: Cdentinger) [22:37:22] (Merged) jenkins-bot: update composer.lock [extensions/DonationInterface] - https://gerrit.wikimedia.org/r/329517 (owner: Cdentinger) [22:56:34] cwd yep, as a composer dep we've been pointing to dev-master [22:57:58] !log updated smashpig from c3eaadb737a02db27f3e97a8e60981c7182e877c to 8597bd45fae3710bcb7c9bd0c592641723e52511 [22:58:00] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [22:58:33] ejegg: no matter how many times i composer update/install in DI it will not pull the latest smash-pig [22:59:11] cwd oh shoot, you need to update it on packagist [22:59:18] sorry, let me make sure you're an owner [22:59:27] i thought it just pulled from github [22:59:39] well i don't think it actually matters cause we don't send mail from there anyway [22:59:54] ah, we use packagist to decide when to update the dev-master pointer [23:00:01] I'll update it now [23:00:23] k, updated [23:13:21] !log rolled back smashpig [23:13:23] Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log [23:14:33] cwd: ejegg: vagrant payments wiki now all set up again, in case that could be useful for anything 8p [23:14:44] (my local setup, I mean) [23:15:18] cool, thanks for the offer [23:24:50] (PS1) Cdentinger: Revert "update phpmailer for CVE" [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329519 [23:26:04] (PS1) Cdentinger: Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329520 [23:34:18] (PS1) Cdentinger: Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329521 [23:36:22] (CR) Ejegg: "OK, let's keep driving this whole process from master" [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329521 (owner: Cdentinger) [23:37:42] (PS1) Ejegg: Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329522 [23:39:07] (PS1) Ejegg: Update (only) PHPMailer [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329523 [23:42:17] (PS1) Ejegg: Revert "Update payments_initial when donation completes" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329524 [23:44:11] (PS1) Ejegg: Merge branch 'master' into deployment [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329525 [23:48:28] (PS2) Ejegg: Merge branch 'master' into deployment [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329525 [23:50:53] (PS1) Ejegg: Revert "update phpmailer for CVE" [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329526 [23:52:48] (Abandoned) Cdentinger: Revert "update phpmailer for CVE" [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329519 (owner: Cdentinger) [23:52:50] (Abandoned) Cdentinger: Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329520 (owner: Cdentinger) [23:52:56] (PS1) Ejegg: Update (only) phpmailer [wikimedia/fundraising/SmashPig/vendor] - https://gerrit.wikimedia.org/r/329527 [23:52:58] (Abandoned) Cdentinger: Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329521 (owner: Cdentinger) [23:54:26] well, there's still a weird symfony version mismatch, but i'm not touching the deployed version right now [23:54:42] anyway, cwd, I think the stuff I've got in review should put us in a good place [23:54:54] gonna re-submit that payments_init one for later merge [23:54:55] ok cool, thanks for cleaning up the mess [23:55:00] no worries! [23:55:47] (CR) Cdentinger: [C: 2] Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329522 (owner: Ejegg) [23:56:34] (CR) Cdentinger: [C: 2] Update (only) PHPMailer [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329523 (owner: Ejegg) [23:56:58] (CR) Cdentinger: [C: 2] Revert "Update payments_initial when donation completes" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329524 (owner: Ejegg) [23:57:00] (Merged) jenkins-bot: Revert "Update phpmailer for CVE-2016-10045 and CVE-2016-10033" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329522 (owner: Ejegg) [23:57:20] (CR) Cdentinger: [C: 2] Merge branch 'master' into deployment [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329525 (owner: Ejegg) [23:57:41] (Merged) jenkins-bot: Update (only) PHPMailer [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329523 (owner: Ejegg) [23:57:43] nice thing about deploys during winter break, zuul is fast [23:58:30] (Merged) jenkins-bot: Revert "Update payments_initial when donation completes" [wikimedia/fundraising/SmashPig] - https://gerrit.wikimedia.org/r/329524 (owner: Ejegg) [23:58:50] (Merged) jenkins-bot: Merge branch 'master' into deployment [wikimedia/fundraising/SmashPig] (deployment) - https://gerrit.wikimedia.org/r/329525 (owner: Ejegg) [23:59:25] ejegg: want me to update vendor?