[10:29:43] <akosiaris>	 Amir1: hey. yeah I 'll try and go for ores/deploy. will get back to you as soon as it's ready
[13:25:12] <Amir1>	 awesome
[15:19:01] <halfak>	 o/
[15:19:03] <halfak>	 Hey folks. 
[15:19:14] <halfak>	 I'm a little late this morning.  I really needed to sleep in. 
[15:19:39] * halfak looks at Amir1's scap PR
[15:22:51] <Amir1>	 halfak: o/
[15:24:42] <Amir1>	 awesome
[15:24:53] <halfak>	 Amir1, just one note
[15:26:29] <Amir1>	 sure
[15:30:24] <halfak>	 I think I'm going to work on performance issues today. 
[15:30:33] <halfak>	 I want that profiling feature extractor. 
[15:30:44] <halfak>	 I might also look at the feature/dependency injection for ORES
[15:31:19] <halfak>	 ^ actually I think I should do that first. 
[15:32:48] <halfak>	 I've been waiting for arlolra to iterate on his work there.  Maybe he already did. 
[15:32:55] <halfak>	 https://github.com/wiki-ai/ores/pull/115
[15:33:18] <halfak>	 looks like a rebase is in order
[15:50:43] * halfak traces the life of caches through the feature extraction process
[16:11:32] <Amir1>	 halfak: hey, I'd an uninvited guest. Anyway: It's not possible to do that in prod since I don't have access yet but scap3 needs a user + ssh credentials of that user to connect to the target
[16:12:03] <Amir1>	 so at this shape, this config works 
[16:12:07] <Amir1>	 in beta
[16:12:12] <Amir1>	 but in deploy
[16:13:22] <halfak>	 OK.  Can merge for now.  Seems like we'll need to change this later. 
[16:15:50] <Amir1>	 halfak: is there any chance of having ssh credentials for "www-data" user?
[16:16:10] <Amir1>	 I don't know what that is but it was in our puppet settings
[16:16:33] <halfak>	 Amir1, that's the user who can do basically nothing but run the system
[16:16:41] <halfak>	 I don't think we'll want that user able to SSH around
[16:16:57] <halfak>	 We'll probably want a deployer user who "sudo -u www-data" 
[16:19:11] <Amir1>	 that part is being done via puppet
[16:21:05] <Amir1>	 but scap actually connects and runs the service using one user instead of two
[16:25:46] <Amir1>	 halfak: also, several days have passed and no one looked at our patches in mediawiki/core
[16:25:57] <Amir1>	 both o f them are ready to merge
[16:27:07] <Amir1>	 https://twitter.com/geraldmellor/status/712880710328139776
[16:27:08] <Amir1>	 :D
[16:29:54] <halfak>	 Amir1, I still haven't gotten a clear response about how we're supposed to work with MediaWiki core devs. 
[16:30:06] <halfak>	 I asked schana to flag that at SoS. 
[16:30:19] <Amir1>	 yeah, I saw that in SoS
[16:30:21] <halfak>	 Let's ask him about it next time he is online
[16:30:23] <halfak>	 Probably Monday
[16:30:27] <Amir1>	 *SoS notes
[16:31:42] <halfak>	 Yeah... I see nothing in his notes re. code review process. 
[17:15:49] <halfak>	 Amir1, let me know when you are ready to just merge for now
[17:16:07] <halfak>	 We can also hold off until everything good to go
[17:16:10] <Amir1>	 halfak: sure
[17:16:15] <halfak>	 Let me know what you'd prefer :) 
[17:22:20] <Amir1>	 sure halfak, right now I'm running some tests to be sure
[17:39:59] <halfak>	 Amir1, when you have a minute, check out https://github.com/wiki-ai/revscoring/pull/255
[17:40:13] <travis-ci>	 wiki-ai/revscoring#602 (fix_caches - 68cacaf : halfak): The build passed. https://travis-ci.org/wiki-ai/revscoring/builds/118703773
[17:41:00] <travis-ci>	 wiki-ai/revscoring#603 (fix_caches - c0ea9e6 : halfak): The build passed. https://travis-ci.org/wiki-ai/revscoring/builds/118703836
[17:41:33] <Amir1>	 halfak: I just about to ping you and say, I wait for travis to say it's happy 
[17:41:43] <halfak>	 Once this is merged, I'll merge arlolra's work. :) 
[17:41:57] <halfak>	 And then ores will be able to do feature injection via HTTP requests!
[17:42:17] <halfak>	 Next step is to make ORES produce structured data about features extracted. 
[17:45:09] <Amir1>	 have you done proper escaping to avoid XSS?
[17:45:26] <Amir1>	 I mean overall we should check that
[17:48:49] <halfak>	 xss?
[17:48:55] <halfak>	 How would xss happen
[17:48:57] <halfak>	 ?
[17:50:40] <Amir1>	 people put python code instead of revid or features and causing that python to run and do something we don't want
[17:50:52] <halfak>	 How would we end up running any python?
[17:51:06] <Amir1>	 like leaking private information (which I guess is not possible in our case)
[17:51:25] <halfak>	 We don't run any queries (no SQL injection) and we don'
[17:51:33] <halfak>	 t run any JS 
[17:51:38] <halfak>	 I suppose we do in the scorer
[17:51:40] <halfak>	 UI
[17:52:02] <halfak>	 XSS is JS-related.  You're imagining a code injection attack
[17:52:16] <Amir1>	 yeah
[17:52:17] <halfak>	 We don't parse input with exec() (is that even a function in python)?
[17:52:24] <Amir1>	 eval
[17:52:38] <halfak>	 We parse inputs with int(), str() and json.load()
[17:52:45] <Amir1>	 so we are good
[17:52:49] <halfak>	 You can't execute javascript in JSON
[17:52:52] <Amir1>	 :) I just wanted to make sure
[17:53:00] <halfak>	 Yeah, unless you're seeing something I didn't think of 
[17:53:08] <Amir1>	 about the UI, I should check that
[17:53:14] <halfak>	 But I don't think there is anything to escape
[17:53:27] <Amir1>	 but that calls our API (like an outside consumer) so nothing bad can happen
[17:54:10] <Amir1>	 you talked about injecting features so I thought we are running some codes
[18:00:57] <halfak>	 Gotcha.  It turns out that this is all basic data types.  We assume input is JSON.  
[18:02:00] <Amir1>	 great :)
[20:08:44] <halfak>	 Amir1, check this out: https://github.com/wiki-ai/ores/pull/135
[20:08:51] <halfak>	 Thoughts are welcome. 
[20:09:29] <halfak>	 Note how I am re-writing the underlying feature of the 'revid' model as 77.
[20:34:46] <halfak>	 OK.  Finished my testing.  
[20:34:52] <halfak>	 All seems to work out with celery nodes ;) 
[20:35:06] <halfak>	 Gonna go do other Saturday stuff.  Have a good one!
[20:35:07] <halfak>	 o/