@Jdlrobson-WMF - Yes, I think you should be good now with the above explanation. We can enable security access for your -WMF account now. Thanks.

In T380014#10336686, @mmartorana wrote:

@Jly - I added you to acl*security_secteam, acl*security and Trusted-Contributors

In T379526#10335469, @Novem_Linguae wrote:

I think the above diff I added is helpful and solves the main goal of this ticket: letting a developer know early on in the extension writing process that it is mandatory to partner with a WMF team to get an extension deployed to WMF production.

Are there any other actionables? Should the ticket be marked resolved?

In T379677#10332098, @matmarex wrote:

Resolved now, right? Or are you waiting for the MW release to close this?

These look fine. We could probably add a few more highly-used ones. Not sure about Cargo though, as that isn't run in Wikimedia production. I guess if we wanted to have one "mostly third party" extension, that could be a possible choice.

In T379005#10325848, @mmartorana wrote:

Hey @sbassett - let’s discuss further in the MR I’ll submit - it should make things clearer.

In T375989#10324766, @Niceguy169 wrote:

(Heh, I got logged out here, checkbox says "Keep me logged in (for up to 365 days)"... We can all see I was logged in more recently than THAT, my first login was creating this thread)

Hey @mmartorana - once https://gitlab.wikimedia.org/repos/security/universal-security-dashboard/-/merge_requests/5 is merged, all of the django app structure should be in place to begin working on usd_api/models.py, etc.

In T379800#10319460, @egardner wrote:

@sbassett is end of Q3 reasonable? Let me know and I'll try to help manage expectations in terms of potential usage.

@egardner - End of Q2 2024? - as in, by the end of December 2024? I don't believe there is any way we can accommodate that date.

Assuming this is likely stalled until we hire a new PM?

In T379677#10314397, @Tgr wrote:

T379677.patch1 KBDownload

A lot of power and flexibility is offered for user-developed tools via ext:Gadgets and toolforge/wmcs. In most cases, those environments should likely be preferred unless they are completely unacceptable for some reason (which would be a high bar IMO). The WMF does currently have an internal working group devoted to code ownership/maintenance (in the context of Wikimedia-deployed code) but it's a very difficult problem to address and solve. We want to enable volunteers as much as possible, but are also limited by how much security and legal risk is acceptable for the WMF to absorb, since they are the primary entity that must absorb said risks.

In T379005#10296661, @mmartorana wrote:

Regarding the classes, I think for now, since we're aiming for an MVP, we could add a Result class, a User class (to handle different roles), and a Configuration/Settings class to store various tool settings.

Yes, this should probably be fine. The default django admin/auth does support token-based auth for django rest framework, so that should be all we need for now.

In T355150#10304340, @Cparle wrote:

@sbassett is this scheduled for security review this quarter?

In T377763#10300397, @Mstyles wrote:

@sbassett is there anything else needed for this ticket? I want to close it

Personally, I'm not sure I see an enormous issue with sso.wikimedia.org. The other proposed options seem a bit too vague to me for what SUL3 is actually trying to accomplish.

In T364302#10290997, @Quiddity wrote:

@sbassett It was included in https://meta.wikimedia.org/wiki/Tech/News/2024/43 (or archived plaintext mailing list entry). :-)

@Quiddity @Johan - I've seen that this was not mentioned in the last couple of Tech News posts to wikitech-l. Is there a scheduled date when this notice might appear? Thanks.

In T377222#10279264, @Tgr wrote:

In T377222#10279189, @sbassett wrote:

It still has <strong> tags and is parsed due to the wikitext links. I guess one could argue that the <strong> tags are superfluous.

But it's parsed so it's safe HTML, not raw HTML.

In T377222#10278803, @Tgr wrote:

• stopforumspam-is-blocked (20bb7d1d - seems wrong? the message is not actually HTML)

In T369950#10278326, @CCiufo-WMF wrote:

Oh, just to clarify, we are still planning to deploy to test wiki before the review. We just won't deploy to any real wikis.

If it's just the analytics replicas that were (potentially) remaining, I'd classify those as low-risk.

In T375751#10271250, @kostajh wrote:

@sbassett can we make this task public? There is some discussion related to this task at https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#Edit_filter_graph_links_broken.

It doesn't look like there are any immediate asks from the Security-Team for this? If there are, please let us know.

In T377912#10265232, @matmarex wrote:

This has been marked as a subtask of T375622 "Tracking bug for MediaWiki 1.39.11/1.41.5/1.42.4", but the bug does not affect any of those versions, just 1.43.

In T377912#10261934, @Tgr wrote:

So where do we need to backport before then? wmf/next?