Hi, can you please setup…

Hi, can you please setup proxy access for @casiepa? As a polyglots mentor he’ll be helping out with managing rosetta sites and will need access to the global.WordPress.org network.

His public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvMct8ARk0CEftQLiMZETj2Ndsk6Ns7sFaq6iLGybf2hFXNRY9rHSeZIACzlBoFm7UwKp9FCBbYW/ead4xVV3XaX20UeF2JB5TtlJ7mdQK9Rdd0NQq60EL5pNmPHKbOf2gHuULovuU/CzzUw/MGUxk8HIpRa+x9WdXsDjmsMF7Y5x/a4w4nypvojKh1YTT7VfH8s9c7buy5S0G8VZr+e/wqPKwl5BoSTuxGPxk5vsFYzJ7gSVkUGNMU62h/MP6c5QeP4KqzdhdsVOe04HWGrC37IkFRblUnHieYWoK9EIKUCkQwqXMOOlrID0Ll8JcbuN0E3LsUGLjb8+5fhBXECshl7nIfhbSL+1zhrEoibDH1Nvcxe96Xaj4OqObh4AZIS4aQNumtMZV56D5bpFzs47QXa3dzml8Nv6eEChUcZMzm0duxV1wteNeteSTgNkrFRoaqBUsb/n35iwgQZ0l7ulzjB79ZCz1ufp9HUQn1F0JGDjasyPupJzBBurhROcb1PNc5+nBB1UGQsSdWkUSTavLpgyZBPN4O8s05FxOduYcBxcZrl78eQECHVDE3vHlOMxCZO26L8FsAfVRCopCEDAyHlnqSvtYbjmZvq7ynE9dy+ABfFYQxhp1zJMo8dXPEuzsckzaViTOyaTr13paWEP3QRJJPlpjL0emsB/oVZ0i4Q== pascal.casier@gmail.com



Hi, can you please setup…

Hi, can you please setup proxy access for @coachbirgit? As a polyglots mentor she’ll be helping out with managing rosetta sites and will need access to the global.WordPress.org network.

Her public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLEeqcc5blku3s2AS5hvwF7yYVb6pAzbpx3Dg8a2a3RbxNXIIb21099UB6vCwtFqu0en8cU3S944KsDJ69H39B3y11qndjKy2TnH+a8N7TgBfFBQ5yOClAAUHKg/PwIiZyF1AXpmUBHr9OSPHrSsSrOcpfxDnbR9bcxPambP2G8T1eLgxuL+EMwvHZyg1ELDbr8+Ns/OtaHdx1ps0gVT40F5FyeBZLxNtCGDqpTg+KP0feAgHLu2S/EL/tNhhXLqfIiF07WBc5QpqyVhovcuKH7D2IzPmNeyPoTisMIq27kRh2MRbhhm6UAqL89rws3HqpunEPayKXv8NtbzjBAQvyeSkiF7Lyxwhn2fhKn5LyEI7qsRjdfTGRQVayLklyyPYPDpt3ljdxjf/AqIRAZz8g+80ZDIWtrORCIU8VybzUNpL9jgq37xVTcKRQS3NtVskPJRQa83Pv0FyF+pVQIrsIfOWpWcUNqBtMoj3pBv0vtqGl/M8JTLBzBgK68/DDg3Igq1Zj9NCYRyrkkPTcluuWwkNfn1XPzOrI1N68upksbUkby1ivmd5L8XChWdyhM97GTejvJFCTvzHlMLGDFZ40XYPPdW2GjO5igWjRu+6hgNVVqtk8ZrvlRjxvYygULk7U7olwAwCFSE25OejojdSBaYdcIbkXpS17cj6mwXWZQw== coachbirgit@gmail.com



Update Apache on lists.wordpress.org

A report came in via HackerOne informing us that lists.wordpress.org is running a version of the Apache web server which contains several known vulnerabilities. It should be updated to the latest in either the 2.2.x or 2.4.x branch.


CAA for wordpress.org

A report came in via HackerOne recommending that Certificate Authority Authorization be implemented for wordpress.org (and other W domains).

CAA allows a domain owner to restrict which CAs are allowed to issue certificates for the domain. It’s been useless until quite recently: the CAB Forum recently voted to enforce CAA checks for all new certificates starting next month, so it’s definitely a useful measure to implement.

More info: https://scotthelme.co.uk/certificate-authority-authorization/


Could you please make a…

Could you please make a w.org sandbox for @sergeybiryukov? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUu7co8f4xxOAtN4AASut9N64MhOIDuHGUzJMr29yTU4OY4SfLaAmnOYggUqBO9dWUNo6dtNcqqSdF8A4lpUdkk5JTkrXHsu1Ah+EjchdnOCffJYRBdHI+x6esL9gIS31VANkmoMMc+PVf5PP+E0rXSUoop2nwHR5RUKqSYafKXs5KRgU9l35Zwc48swPbq0X+swx19MMOtsdZzSKrcOdVJntn9z+WN2YyqobE3v15/uqaRzcTrcn6EPwVWsHY8xMfsIVFlHDMtnXSw25gSCcQWkGg0LAb//LNGY0bzDgBO9NW5+TYnKUTETES//S+haFNzy6kSULaH5KiXmOXlWWxWiDhXccNdKnCU4yuyYcZfMOUWZInDSlnwlYCDFpA71o6wfpLnO2w8NWUcpK7GLKX/qbOBox0pAsskxIRnEpxSUnd0J1eQrfAQzJuy5cgZrrGJlyVsFJWW18njYY0D6h4806JaHiX2wGSA6f7LfMEKA315B2OcFsfpDIwBXsfqYBgcB+DVrPU6qoSRz2T1+XBumZHIUVdrx5FqA8bWEvWt4IWJ4jp3KbRjqF33ug3u79GV3HG6t69Jv0NdfR8wi4JdLmtvYKQ0W7mEGhlRONKcMoRfP2aU74AHUJSJl6f7eOlOTF6hep6n0SzCXfYsneGqbzY84ElKfMt4267hR7FUQ== sergeybiryukov.ru@gmail.com


Update Trac to 1.0.16

There are a bunch of useful bits in more recent Trac 1.0 releases that we could use.

Also, the TracXMLRPC plugin had some compatibility issues with Trac 1.0, they were fixed in version 1.1.3, but there were also a handful of bug fixes in later versions, so upgrading that to 1.1.6 would be nice.


Symlink for new template file on meta.trac

[4621] adds a new template file for meta.trac.wordpress.org which, according to @nacin, needs to be symlinked.

Could someone do that please? Thanks!


Missing uploaded files for 2 sites

It appears all uploads for a pair of sites are missing from the filesystem.

This most prominently affects https://make.wordpress.org/training/. All links to uploaded images/files for the site are broken, evidenced on its front-end (namely its handbook, e.g. https://make.wordpress.org/training/handbook/user-lessons/content-editor-overview/), and via the admin media library.

Scanning /uploads (which is a mount to lan.db1.lax.wordpress.org:/home/uploads) from my sandbox confirms that /uploads/28/files/ is indeed empty.

The only other site this also appears to be the case for is https://br.wordpress.org/ (/uploads/62/files/).

Can these files be restored? Any idea what might have happened?


Theme previewer missing a theme.

web1 appears to be missing the “tempo” theme for the theme previewer. I tried the normal commands to get it to update as well as reapproving the theme manually, to no effect. Need somebody to take a look at it, see if something is wrong with that directory.

It’ll be in /extend/theme-preview/wp-content/themes/tempo. Should have version 0.0.33 in there like the other webs do.


Whitelisted WordCamp Production Data for Dev Environments

Right now WordCamp devs use a small subset of the production database that was manually created, because it wouldn’t be safe to keep copies of the production database in local environments.

That works good enough for most things, but we keep running into situations where reproducing bugs and testing fixes is much harder, and takes much longer, than it would if we had real-world data to work with.

So, I’d like to create a way to safely use a whitelisted copy of production data in local environments. Here’s how I envision it working:

  1. Create a script that runs on the production web server once a day
  2. It would create a copy of the primary database on the production database server
  3. Then run lots of SQL commands against that copy in order to redact anything that hasn’t been whitelisted
  4. Have another script in dev environments that uses sftp to download a copy of the whitelisted database once a day

The whitelist would contain a list of tables, columns, and keys that have been determined to not have any sensitive data. For example:

  • wp_users – The table itself would be whitelisted, but only the ID, user_login, user_nicename, user_registered, user_status, display_name, spam, and deleted fields would be whitelisted. Because user_pass, user_email, and user_activation_key would not be in the whitelist, the script would replace the contents of those columns with [redacted] (or in the case of user_email, redacted@example.org).
  • wp_usermeta – The table itself would be whitelisted, along with the umeta_id, user_id, meta_key, and meta_value columns, but only certain meta_key rows would be whitelisted. For instance, first_name, last_name, description, and wp_capabilities would be whitelisted, but session_tokens and wordcamp-qbo-oauth would not be.

Additionally, the script would have some logic to redact potentially sensitive values within whitelisted columns. For example, any e-mail addresses inside a meta_value value would be replaced with redacted@example.org.

What does Systems think about that? I’d do all the work to build the script, but I want to make sure you don’t have any security/privacy concerns.