- Blog: https://timotijhof.net
- Mastodon: @krinkle
(Photo by Niek Hidding.)
(Photo by Niek Hidding.)
@Esanders I vaguely recall a series of older DT tasks about the problems with DT using wgExtraSignatureNamespaces in this way to make a seemingly final decision that a page is a talk page when there are numerous indicators to the contrary, and/or requesting for ways to create a way to either opt-in or opt-out from that decision.
To RelEng: The way we usually structure these tasks is to link to the previous one for the same purpose (Fresh) and track "Create image" as the subtask.
Actually, it seems the above patch did not fix the issue.
We have also:
July 2023:rdbms: Introduce InsertQueryBuilder
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/935747
FYI: Periodic updates about this topic appear to be posted to https://www.wikidata.org/wiki/Wikidata:SPARQL_query_service/WDQS_backend_update#Current_status, including several updates since the filing of this task, and the last one was a few days ago.
Nice to see that upstream now recommends the same! I've been supporting this for a while with similar changes and similar reasoning in these commits:
In T175146#9712693, @daniel wrote:Why do you think that endpoint should be removed first? I thin the order doesn't matter...
I'll take this one with Hannah to look at next week.
Maybe. You raised a good point, though, about avoiding reading from MultiWriteBag and ReplicatedBag by design does not (completely) avoid that. Maybe an optional "read" option in MultiWriteBag would be more useful to us.
Fandom hotpatch related to this:
https://github.com/Wikia/mediawiki/commit/026bf08a8f8d75a4051360833cbae75fedec7f45
As does ResourceLoader, for its resource bundles.
@daniel Is the REST API safe to remove from the EventBus extension? We may want to do that first.
Notes from meeting:
@daniel Are you thinking about IP subnets as protection mechanism because you prefer it, or because you think it's what we use today? Of the 5 job runners in the task description, number 4 used this mechanism. However that one (runJobs.php) has not been in use for several years. I've updated the task description to clarify this.
@valerio.bozzolan The SQL statements and comments appear in contradiction. For every comment that says "Skipped bug X - state was REOPENED" there is in fact a real update statement that does exactly what the comment says it doesn't. Is this intentional?
In T341319#9015034, @gerritbot wrote:Change 938220 had a related patch set uploaded (by TK-999; author: TK-999):
[mediawiki/core@master] PermissionManager: Avoid restrictions lookup for unsupported actions
One option would be to use ReplicatedBagOStuff combined with MultiWriteBagOStuff. Write to both. Read from one. This would, however, mean that, the resulting stack is four levels of bagostuffs, given that SessionBackend wraps it as well:
@Sophivorus I'm curious about what benefit you expect in this case. Can you describe (or e.g. draw on a devtools network screenshot) what activities you expect would move or shrink in the timeline?
@Urbanecm_WMF From the code documentation, I understand IConfigurationProvider to be the main entrypoint. However, I could not find an example of this in the extensions tests. Could you add a high-level integration test to demonstrate how it would be used? That would make it easier to check which parts will become used in the critical path, and which not.
I understand the redirect is limited to mediawiki.org, but by redirecting, the URL that ends up in circulation will become inevitably the destination, which then promotes the generic URL that can easily be mistaken for that on another wiki, or even be attempted as "correct" as users try to help themselves by using the "right" one (with questions about which one to use in a cross-wiki context).
@dancy Are you proposing a redirect in general, or only for appservers? (Is this easier than a rewrite?)
It appears to me that the immediate failure here is that the session directory at /var/lib/php/sessions is not writable (ie it doesn't exist and the "nobody" user in CI isn't allowed to create it).
I've tested this locally on codesearch8 by using iptables-save and iptables-restore and adding
Thank you @cmooney, that's amazing. That rule is very specific to just port 3002. That explains a few other things I was struggling with.
@cmooney suggested I run these commamds for some detail:
1 | root@codesearch8:~# iptables -L -v --line -n |
---|---|
2 | Chain INPUT (policy DROP 96 packets, 5200 bytes) |
3 | num pkts bytes target prot opt in out source destination |
4 | 1 3036K 4107M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED |
5 | 2 212K 13M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 |
6 | 3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast |
7 | 4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x17/0x02 |
8 | 5 2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 |
9 | 6 15097 906K ACCEPT tcp -- * * 172.16.5.238 0.0.0.0/0 tcp dpt:3002 |
10 | 7 0 0 ACCEPT tcp -- * * 172.16.5.200 0.0.0.0/0 tcp dpt:3002 |
11 | 8 1 60 ACCEPT all -- * * 172.16.6.65 0.0.0.0/0 |
12 | 9 1 60 ACCEPT all -- * * 172.16.0.229 0.0.0.0/0 |
13 | 10 1 60 ACCEPT tcp -- * * 172.16.1.220 0.0.0.0/0 tcp dpt:22 |
14 | 11 8 472 ACCEPT tcp -- * * 172.16.3.145 0.0.0.0/0 tcp dpt:22 |
15 | 12 0 0 ACCEPT tcp -- * * 172.16.5.168 0.0.0.0/0 tcp dpt:22 |
16 | 13 0 0 ACCEPT tcp -- * * 172.16.4.160 0.0.0.0/0 tcp dpt:22 |
17 | 14 0 0 ACCEPT tcp -- * * 172.16.2.249 0.0.0.0/0 tcp dpt:22 |
18 | 15 0 0 ACCEPT tcp -- * * 172.16.1.220 0.0.0.0/0 tcp dpt:22 |
19 | 16 5164 1694K DROP udp -- * * 0.0.0.0/0 255.255.255.255 udp spt:67 dpt:68 |
20 | 17 91 5000 NFLOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 nflog-prefix "[fw-in-drop]" |
21 | |
22 | Chain FORWARD (policy DROP 0 packets, 0 bytes) |
23 | num pkts bytes target prot opt in out source destination |
24 | 1 15M 24G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 |
25 | 2 15M 24G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 |
26 | 3 7608K 23G ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED |
27 | 4 14998 900K DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 |
28 | 5 6885K 1146M ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 |
29 | 6 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 |
30 | |
31 | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) |
32 | num pkts bytes target prot opt in out source destination |
33 | |
34 | Chain DOCKER-INGRESS (0 references) |
35 | num pkts bytes target prot opt in out source destination |
36 | |
37 | Chain DOCKER-USER (1 references) |
38 | num pkts bytes target prot opt in out source destination |
39 | 1 15M 24G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 |
40 | |
41 | Chain DOCKER (1 references) |
42 | num pkts bytes target prot opt in out source destination |
43 | 1 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.3 tcp dpt:6080 |
44 | 2 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.5 tcp dpt:6080 |
45 | 3 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.7 tcp dpt:6080 |
46 | 4 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.8 tcp dpt:6080 |
47 | 5 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.9 tcp dpt:6080 |
48 | 6 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.10 tcp dpt:6080 |
49 | 7 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.11 tcp dpt:6080 |
50 | 8 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.13 tcp dpt:6080 |
51 | 9 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.14 tcp dpt:6080 |
52 | 10 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.15 tcp dpt:6080 |
53 | 11 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.6 tcp dpt:6080 |
54 | 12 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.16 tcp dpt:6080 |
55 | 13 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.17 tcp dpt:6080 |
56 | 14 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.18 tcp dpt:6080 |
57 | 15 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.20 tcp dpt:6080 |
58 | 16 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.19 tcp dpt:6080 |
59 | 17 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.12 tcp dpt:6080 |
60 | 18 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.21 tcp dpt:6080 |
61 | 19 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.4 tcp dpt:6080 |
62 | 20 10295 618K ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80 |
63 | |
64 | Chain DOCKER-ISOLATION-STAGE-1 (1 references) |
65 | num pkts bytes target prot opt in out source destination |
66 | 1 6885K 1146M DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 |
67 | 2 15M 24G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 |
68 | |
69 | Chain DOCKER-ISOLATION-STAGE-2 (1 references) |
70 | num pkts bytes target prot opt in out source destination |
71 | 1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 |
72 | 2 6885K 1146M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 |
73 | |
74 | |
75 | root@codesearch8:~# iptables -L -v --line -n -t nat |
76 | Chain PREROUTING (policy ACCEPT 612K packets, 39M bytes) |
77 | num pkts bytes target prot opt in out source destination |
78 | 1 30163 1810K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL |
79 | |
80 | Chain INPUT (policy ACCEPT 0 packets, 0 bytes) |
81 | num pkts bytes target prot opt in out source destination |
82 | |
83 | Chain POSTROUTING (policy ACCEPT 447K packets, 27M bytes) |
84 | num pkts bytes target prot opt in out source destination |
85 | 1 592K 37M MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 |
86 | 2 0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:6080 |
87 | 3 0 0 MASQUERADE tcp -- * * 172.17.0.5 172.17.0.5 tcp dpt:6080 |
88 | 4 0 0 MASQUERADE tcp -- * * 172.17.0.7 172.17.0.7 tcp dpt:6080 |
89 | 5 0 0 MASQUERADE tcp -- * * 172.17.0.8 172.17.0.8 tcp dpt:6080 |
90 | 6 0 0 MASQUERADE tcp -- * * 172.17.0.9 172.17.0.9 tcp dpt:6080 |
91 | 7 0 0 MASQUERADE tcp -- * * 172.17.0.10 172.17.0.10 tcp dpt:6080 |
92 | 8 0 0 MASQUERADE tcp -- * * 172.17.0.11 172.17.0.11 tcp dpt:6080 |
93 | 9 0 0 MASQUERADE tcp -- * * 172.17.0.13 172.17.0.13 tcp dpt:6080 |
94 | 10 0 0 MASQUERADE tcp -- * * 172.17.0.14 172.17.0.14 tcp dpt:6080 |
95 | 11 0 0 MASQUERADE tcp -- * * 172.17.0.15 172.17.0.15 tcp dpt:6080 |
96 | 12 0 0 MASQUERADE tcp -- * * 172.17.0.6 172.17.0.6 tcp dpt:6080 |
97 | 13 0 0 MASQUERADE tcp -- * * 172.17.0.16 172.17.0.16 tcp dpt:6080 |
98 | 14 0 0 MASQUERADE tcp -- * * 172.17.0.17 172.17.0.17 tcp dpt:6080 |
99 | 15 0 0 MASQUERADE tcp -- * * 172.17.0.18 172.17.0.18 tcp dpt:6080 |
100 | 16 0 0 MASQUERADE tcp -- * * 172.17.0.20 172.17.0.20 tcp dpt:6080 |
101 | 17 0 0 MASQUERADE tcp -- * * 172.17.0.19 172.17.0.19 tcp dpt:6080 |
102 | 18 0 0 MASQUERADE tcp -- * * 172.17.0.12 172.17.0.12 tcp dpt:6080 |
103 | 19 0 0 MASQUERADE tcp -- * * 172.17.0.21 172.17.0.21 tcp dpt:6080 |
104 | 20 0 0 MASQUERADE tcp -- * * 172.17.0.4 172.17.0.4 tcp dpt:6080 |
105 | 21 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80 |
106 | |
107 | Chain OUTPUT (policy ACCEPT 432K packets, 27M bytes) |
108 | num pkts bytes target prot opt in out source destination |
109 | 1 15 972 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL |
110 | |
111 | Chain DOCKER-INGRESS (0 references) |
112 | num pkts bytes target prot opt in out source destination |
113 | |
114 | Chain DOCKER (2 references) |
115 | num pkts bytes target prot opt in out source destination |
116 | 1 57 3468 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 |
117 | 2 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6082 to:172.17.0.3:6080 |
118 | 3 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6091 to:172.17.0.5:6080 |
119 | 4 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6090 to:172.17.0.7:6080 |
120 | 5 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6098 to:172.17.0.8:6080 |
121 | 6 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6088 to:172.17.0.9:6080 |
122 | 7 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6089 to:172.17.0.10:6080 |
123 | 8 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6096 to:172.17.0.11:6080 |
124 | 9 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6084 to:172.17.0.13:6080 |
125 | 10 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6086 to:172.17.0.14:6080 |
126 | 11 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6095 to:172.17.0.15:6080 |
127 | 12 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6097 to:172.17.0.6:6080 |
128 | 13 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6085 to:172.17.0.16:6080 |
129 | 14 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6087 to:172.17.0.17:6080 |
130 | 15 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6094 to:172.17.0.18:6080 |
131 | 16 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6093 to:172.17.0.20:6080 |
132 | 17 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6092 to:172.17.0.19:6080 |
133 | 18 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6080 to:172.17.0.12:6080 |
134 | 19 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6081 to:172.17.0.21:6080 |
135 | 20 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6083 to:172.17.0.4:6080 |
136 | 21 10297 618K DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3003 to:172.17.0.2:80 |
137 | |
138 | |
139 | root@codesearch8:~# ip netns list |
140 | root@codesearch8:~# |
141 |
@lmata Code review for the main patch.
In T361577#9681166, @daniel wrote:In T361577#9680375, @ssastry wrote:Looks like new breakage from https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1012690 that exposed the unitialized field ... and seems like Ammarpad's fix should do it. Added @BPirkle and @daniel as reviewers.
Huh, I wonder why this issue didn't show up in CI.
@Tgr BagOStuff will indeed not throw an exception when writes fail, but it does support error detection and error handling. E.g. SqlBagOStuff->set() willl return false if the database write failed for any reason, including if it was read-only.
This is relevant to an issue we discussed at the offsite last month around offering teams the option to migrate legacy Node.js services to e.g. the new MediaWiki REST API (extension) and/or a standalone PHP service (if indeed it qualifies to be its own service, under latest SRE guideance at https://www.mediawiki.org/wiki/Wikimedia_services_policy and T239856).
Assigning to @Tgr per comment at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OAuth/+/910803.
Given that php-xdebug, by definition, cannot be used to debug this problem, time to sprint some print, wfBacktrace, and var_dump:
One feature I particularly like in PHPUnit 10, is the ability to pass multiple directories or files to phpunit. I've considered it a bug not to have this, in particular because the command is completely silent about the subsequent arguments, e.g. you can run phpunit tests/includes/ResourceLoader/* today and it would "succeed" with a bunch of meaningless dots, having actually only executed the first file that bash expanded the star to.
@Od1n Is there a functional problem here in terms of what a gadget is able to do or observe?
I applied these two mistakes locally in my MediaWiki checkout, to observe the behaviour as of today:
<pre> is indeed processed in wikitext similar to many Markdown implementations, with "nowiki"-like treatment applied.