Update Apache on lists.wordpress.org

A report came in via HackerOne informing us that lists.wordpress.org is running a version of the Apache web server which contains several known vulnerabilities. It should be updated to the latest in either the 2.2.x or 2.4.x branch.


CAA for wordpress.org

A report came in via HackerOne recommending that Certificate Authority Authorization be implemented for wordpress.org (and other W domains).

CAA allows a domain owner to restrict which CAs are allowed to issue certificates for the domain. It’s been useless until quite recently: the CAB Forum recently voted to enforce CAA checks for all new certificates starting next month, so it’s definitely a useful measure to implement.

More info: https://scotthelme.co.uk/certificate-authority-authorization/


Could you please make a…

Could you please make a w.org sandbox for @sergeybiryukov? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUu7co8f4xxOAtN4AASut9N64MhOIDuHGUzJMr29yTU4OY4SfLaAmnOYggUqBO9dWUNo6dtNcqqSdF8A4lpUdkk5JTkrXHsu1Ah+EjchdnOCffJYRBdHI+x6esL9gIS31VANkmoMMc+PVf5PP+E0rXSUoop2nwHR5RUKqSYafKXs5KRgU9l35Zwc48swPbq0X+swx19MMOtsdZzSKrcOdVJntn9z+WN2YyqobE3v15/uqaRzcTrcn6EPwVWsHY8xMfsIVFlHDMtnXSw25gSCcQWkGg0LAb//LNGY0bzDgBO9NW5+TYnKUTETES//S+haFNzy6kSULaH5KiXmOXlWWxWiDhXccNdKnCU4yuyYcZfMOUWZInDSlnwlYCDFpA71o6wfpLnO2w8NWUcpK7GLKX/qbOBox0pAsskxIRnEpxSUnd0J1eQrfAQzJuy5cgZrrGJlyVsFJWW18njYY0D6h4806JaHiX2wGSA6f7LfMEKA315B2OcFsfpDIwBXsfqYBgcB+DVrPU6qoSRz2T1+XBumZHIUVdrx5FqA8bWEvWt4IWJ4jp3KbRjqF33ug3u79GV3HG6t69Jv0NdfR8wi4JdLmtvYKQ0W7mEGhlRONKcMoRfP2aU74AHUJSJl6f7eOlOTF6hep6n0SzCXfYsneGqbzY84ElKfMt4267hR7FUQ== sergeybiryukov.ru@gmail.com


Could you please make a…

Could you please make a w.org sandbox for @danielbachhuber? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDclohmuQz4fP5vdGvHQIZosAOy/CuQctD9GEGXsHVXFTN0ROpcQLRW8P789xtvDBX3u/SlxP1KpodkccY45PvcvKRzttH9lt9TcDjQd38pNYMRFeguU5k8tP54mUG4rkqoEo4KkH43qCr77qcSiLxcjpTSwsrRNhPlhEHRxy5a5qSnv0LzluDWS2gaacBskRArf0vGFyDPPSUSFgsDM9+FgYLHwI7/fSaHYuxvqpHYBz17m2h3Zi2hcc3IdVEFQi84mNIECs6k40+UihmKR43eCnOc9qkZOo0Rs5dbAi+g9v9e20ODHyfMIg4lvv0zwW//LpZvrv0m4ZCD/fgfhtS9 d@danielbachhuber.com


Update Trac to 1.0.16

There are a bunch of useful bits in more recent Trac 1.0 releases that we could use.

Also, the TracXMLRPC plugin had some compatibility issues with Trac 1.0, they were fixed in version 1.1.3, but there were also a handful of bug fixes in later versions, so upgrading that to 1.1.6 would be nice.


HSTS on wordpress.tv

Per a hackerone.com report, we need to get HSTS setup on wordpress.tv. The alternative being setting the secure only flag for the auth cookies.


Expired SSL certificate for jobs.wordpress.net

https://jobs.wordpress.net/ needs a new certificate.


Update Public Key for Paul Gibbs

Could someone please update the proxy key for @djpaul?

The public key is here:



Hi, is there a chance…

Hi, is there a chance that we can get more space on the sandbox at nbachiyski.dev.wordpress.org?

We use it to build the POT files for importing them to translate.w.org. Thanks!

#i18n #prio2

Automating ip2location updates

I’m working on automating updates for the ip2location database tables. Barry created the beginnings of a script in [dotorg13140], but it uses mysqlimport, which doesn’t appear to exist on our sandboxes.

Would it be possible to get mysql or mysqlimport installed, or is there another approach that Systems would prefer?

If it’s possible, I’d like to get the script done before WP 4.8 is released on the 8th, since the data in those tables is important for a new feature being launched.