Bugs, Repairs, and Internal Operational News
Two MediaWiki releases, but neither of them 1.17
On Tuesday (12 April), MediaWiki version 1.16.3 was officially released to external sites (Wikimedia Techblog). It included a group of three security fixes that had already gone live to Wikimedia sites, which are running a pre-release version of 1.17:
- A cross-site scripting (XSS) issue involving media uploads and affecting Internet Explorer version 6 and earlier (bug #28235, discovered by Masato Kinugawa).
- A CSS validation problem in the wikitext parser. This is a cross-site scripting (XSS) issue for all Internet Explorer clients, and a privacy loss issue for other clients (bug #28450, discovered by user Suffusion).
- A transwiki import problem with access control checks on form submission, which only affects wikis where this feature is enabled (bug #28449, discovered by MediaWiki developer Happy-Melon).
After the release, however, it soon became clear that the first of the three issues had not been entirely cleared up, prompting the second release of the week, MediaWiki 1.16.4, on Friday (15 April) (Wikimedia Techblog, wikitech-l mailing list). The updates also took advantage of recent localisation efforts in order to provide users with an interface translated into their own language.
In related news, no official date has yet been set for a release candidate of MediaWiki 1.17, the version WMF wikis are currently running. A beta version is expected "probably next week", however, according to developer Tim Starling, who is overseeing the release effort (also wikitech-l). The accompanying discussion also included calls to "branch" version 1.18 within the next fortnight. Branching would separate a snapshot of the software from the developmental bleeding edge version of the MediaWiki software (also known as "trunk"), allowing it to be stabilised, tested and released in the next few months.
Not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.
- A discussion on the foundation-l mailing list gave an insight into the processes for dealing with inappropriate uses of the Toolserver, a topic touched upon in last week's Technology Report.
- Developers can now get a copy of the live code via Git, even though the main repository is stored centrally in a competing format, Subversion (wikitech-l mailing list. See also Signpost coverage of recent discussions about whether MediaWiki should move to Git altogether).
- Brian Wolff's work in last year's Google Summer of Code programme on image metadata was merged into the main development version of MediaWiki (revision #86169, see also original Signpost coverage).
- Bugmeister Mark Hershberger blogged about how to get a bug report dealt with, which he argued consisted not of bumping the "Priority" field of older bugs, but in finding either a body of users to support your position, or a developer to write the code for you.
- Operations Engineer Ryan Lane gave a talk about the server architecture of Wikimedia projects (1h video, slides), explaining how the WMF manages to operate with far fewer servers and members of staff than other "top 5" websites. One of the subjects covered was community involvement in the server operations (supporting the operating staff of currently six engineers), by giving volunteers the opportunity to help "without necessarily giving out root" access, and keeping operations as transparent as possible through the use of public IRC channels and wikis.