Dion Hulse 12:57 am on March 28, 2023
Tags: , github, ,   

GitHub SSH host key update – SVN-Git sync

https://github.com/WordPress/wordpress-develop and the Security mirror aren’t being pushed when a SVN commit is made – this started happening when GitHub rotated it’s host key.

https://github.com/WordPress/wordpress-develop is still receiving commits, as GitHub is pulling them from git://develop.git.wordpress.org/ every 15-20 minutes, but we need to push them in order for GitHub actions to work.

https://github.com/WordPress/WordPress has also ceased syncing, and it appears not to be managed by Systems, and likely to be managed by @markjaquith who has the same GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ host key issue. We should migrate this from Mark account to something Systems managed. I’m not sure how best to do that however, as the GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/. commit hashes do not match git://core.git.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org//, it uses a different branch naming (master, and branch-X.Y)

cc @sergeybiryukov

#svn #git #github #prio1

Dion Hulse 5:31 am on March 9, 2023
Tags: auth, ,   

Upgrade TracWPCookies plugin

tl;dr: Please upgrade TracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. to run: 0.2-transitional – Supports existing cookies, and future session cookies. diff .zip. A second request will be made to upgrade to 0.2.

Currently WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ doesn’t use WordPress Sessions, this was for two reasons: 1) bbPressbbPress Free, open source software built on top of WordPress for easily creating forums on sites. https://bbpress.org. 1.x, 2) Trac

We no longer have any bbPress 1.x installations present requiring authentication, leaving Trac as the only barrier to enabling the usage of it on WordPress.org infrastructure.
Current 2FA work will require sessions in order to keep track of the authentication type and time since last-2fa-challenge.

WordPress uses user_meta to store the Sessions by default, but that’s not ideal for our usage (primarily due to PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. Serialized arrays needing decoding by trac python), so I’ve adopted the same table structure used on WordPress.comWordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largest multisite in the world. This is arguably the best place to start blogging if you have never touched WordPress before. https://wordpress.com/ for user sessions – wp_user_sessions

Here are two versions of the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, and a diff (GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ PRs) from present for code/security review if wanted.

  • 0.2 – Supports user cookies with session tokens only diff .zip
  • 0.2-transitional – Supports existing cookies, and future session cookies. diff .zip

Installation steps:

  • Define wp_user_sessions = wporg_user_sessions in the [wordpress] section of the existing Trac config.
  • Remove existing 0.1 version of the plugin.
  • Install 0.2-transitional, Existing cookies should continue to work.

At a future date when Session support has been enabled permanently on WordPress.org:

  • Remove 0.2-transitional and replace with 0.2
  • Existing cookies at that time should be all with Sessions, and so they’ll continue to work. Older session-less cookies will no longer pass auth.

Implementation notes:

  • The auth_salt and auth_key do not need to be updated during this process, as the tokenised cookies simply add an extra token value.
  • The cookie names will remain the same to avoid any other systems-related changes needing to be made.
  • The SQL introduces a join to an additional table for sessions, a const index is used.
  • The WordPress wp_user_session code is here: https://github.com/WordPress/wporg-mu-plugins/pull/345 (It’s WordPress 6.2+, Includes memcache, is based off the WordPress.com implementation)
  • I have tested this on my own Trac + WordPress install, using both wp_user_sessions and no-session cookies.

#auth, #prio1, #trac

Zack Krida 4:56 pm on February 14, 2023  

429s (rate limiting) from translate.wordpress.org export translation routes

At build time, Openverse downloads all of its translations by making a get request to each locale, for example:

https://translate.wordpress.org/projects/meta/openverse/en-gb/default/export-translations/?format=json

We’re encountering some 429 errors which prevent us from downloading all of our translations when we build the app. We are looking for advice on what the rate limits to these endpoints are so we can adjust our code.

We’re working on this in a PR here: https://github.com/WordPress/openverse-frontend/pull/2184

Thanks.

Dion Hulse 11:34 pm on February 13, 2023
Tags: ,   

Load-balancers on IP Abuse database

https://www.abuseipdb.com/check-block/198.143.164.0/24

As reported in https://wordpress.org/support/topic/api-wordpress-org-is-on-abuseip-db-blacklis/ it looks like some hosts have been confusing outgoing connections to api.wordpress.org as being incoming brute-force requests, and reporting it as such.

It appears that some hosts/networks may be using this as part of a network DROP rules causing WordPress sites being unable to connect to the APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.. I believe this might be the cause of some past issues where .251 was inaccessible but .252 was.

Can someone from systems request removal, specifically for https://www.abuseipdb.com/check/198.143.164.251

#prio2 #lb

Jonathan Desrosiers 2:20 pm on February 9, 2023
Tags:   

Upgrade NodeJS/npm on the Build Server

Can NodeJS 18.x be installed on the build server with the paired version of npm (currently 9.3.1)?

CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. currently uses NodeJS 14.x, which will reach EOL on April 30, 2023. Work is underway for both Core and GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ to support 18.x (see Core Trac-56658 and this Gutenberg PR/Issue list). The changes needed to support 18.x are being made now with the aim of changing the actual version used in both locations prior the EOL date in a few months.

There are currently no plans to update older branches receiving minor or security releases at this time, so 14.x will need to remain on the server for the time being.

CC: @gziolo who I’ve been coordinating with on the Gutenberg side of things.

#prio2
Dion Hulse 3:15 am on February 6, 2023
Tags: , ,   

Update plugins.trac templates

Can we please update the plugins.tracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. checkouts?

On svn1.ord, various meta checkouts are updated via svnup-meta-checkouts.sh, but this doesn’t occur on svn2.ord, as a result, plugins.trac.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ has the old WordPress.org headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. & Footer trac templates and now appears visually broken.

This should be as simple as running svnup-meta-checkouts.sh on svn2.. I don’t imagine it would cause any breakage, as the meta checkouts are in use on all other trac instances without issue.

Ref https://github.com/WordPress/wporg-mu-plugins/issues/326 and many others

#trac #svn #prio3

Dion Hulse 2:07 am on February 6, 2023
Tags: , ,   

Spam on mailing lists

Occasionally the WordPress tracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. mailing lists (wp-metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress., wp-trac, wp-svn) get a spam email slip through.

This one came through yesterday:
https://lists.wordpress.org/pipermail/wp-meta/2023-February/052414.html
Screenshot 2023 02 06 at 12 04 40 pm

After the recent email changes, can the rules for the trac-related mailing lists be tightened to only accept definite WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ emails?

#email #trac #prio3

Dion Hulse 2:07 am on January 13, 2023
Tags: ,   

MC Access for Peter Wilson

Can we get @peterwilsoncc access to MC for WP + PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. stats for his ongoing work with CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. and the Security team? (username matches @mention)

Release + Proxy access not required at this time.

Thanks!

cc @azaozz

#mc #prio3

Dion Hulse 2:23 am on January 12, 2023
Tags: , photos,   

Enable HTTP redirect endpoint on pd.w.org

Per https://meta.trac.wordpress.org/ticket/6673

On the Openverse team we recently observed that the CDN domain used by the photo directory, pd.w.org, does not redirect non-httpsHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. traffic to https. In fact, it doesn’t handle non-https traffic at all.
…
As a best practice, these requests should be handled and redirected to their secure counterparts.

$ curl -I http://pd.w.org/
curl: (52) Empty reply from server

cc @coffee2code @zackkrida

#cdn #photos #prio3

Dion Hulse 12:53 am on December 21, 2022
Tags: , , , showcase   

Remove/Increase showcase rate limits

The showcase currently has a rather low rate limit applied to it. Recently a new showcase design launched (Which included a rewrite of the backend), this should have brought with it a performance boost over the old areas of the showcase which caused performance issues.

The new showcase is reliant upon newer WordPress features, such as the Site Editor which is reliant upon the rest-api, currently these trigger 429 responses pretty quickly due to exceeding the rate limits.

Can we either significantly increase, or remove the rate limits on the showcase please? I would personally suggest removal of the rate limit unless the new design proves to cause issues as previously experienced.

#prio1 #nginx #ratelimit #showcase