GitHub SSH host key update – SVN-Git sync

https://github.com/WordPress/wordpress-develop and the Security mirror aren’t being pushed when a SVN commit is made – this started happening when GitHub rotated it’s host key.

https://github.com/WordPress/wordpress-develop is still receiving commits, as GitHub is pulling them from git://develop.git.wordpress.org/ every 15-20 minutes, but we need to push them in order for GitHub actions to work.

https://github.com/WordPress/WordPress has also ceased syncing, and it appears not to be managed by Systems, and likely to be managed by @markjaquith who has the same GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ host key issue. We should migrate this from Mark account to something Systems managed. I’m not sure how best to do that however, as the GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/. commit hashes do not match git://core.git.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org//, it uses a different branch naming (master, and branch-X.Y)

cc @sergeybiryukov

#svn #git #github #prio1

Upgrade TracWPCookies plugin

tl;dr: Please upgrade TracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. to run: 0.2-transitional – Supports existing cookies, and future session cookies. diff .zip. A second request will be made to upgrade to 0.2.

Currently WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ doesn’t use WordPress Sessions, this was for two reasons: 1) bbPressbbPress Free, open source software built on top of WordPress for easily creating forums on sites. https://bbpress.org. 1.x, 2) Trac

We no longer have any bbPress 1.x installations present requiring authentication, leaving Trac as the only barrier to enabling the usage of it on WordPress.org infrastructure.
Current 2FA work will require sessions in order to keep track of the authentication type and time since last-2fa-challenge.

WordPress uses user_meta to store the Sessions by default, but that’s not ideal for our usage (primarily due to PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. Serialized arrays needing decoding by trac python), so I’ve adopted the same table structure used on WordPress.comWordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largest multisite in the world. This is arguably the best place to start blogging if you have never touched WordPress before. https://wordpress.com/ for user sessions – wp_user_sessions

Here are two versions of the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, and a diff (GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ PRs) from present for code/security review if wanted.

  • 0.2 – Supports user cookies with session tokens only diff .zip
  • 0.2-transitional – Supports existing cookies, and future session cookies. diff .zip

Installation steps:

  • Define wp_user_sessions = wporg_user_sessions in the [wordpress] section of the existing Trac config.
  • Remove existing 0.1 version of the plugin.
  • Install 0.2-transitional, Existing cookies should continue to work.

At a future date when Session support has been enabled permanently on WordPress.org:

  • Remove 0.2-transitional and replace with 0.2
  • Existing cookies at that time should be all with Sessions, and so they’ll continue to work. Older session-less cookies will no longer pass auth.

Implementation notes:

  • The auth_salt and auth_key do not need to be updated during this process, as the tokenised cookies simply add an extra token value.
  • The cookie names will remain the same to avoid any other systems-related changes needing to be made.
  • The SQL introduces a join to an additional table for sessions, a const index is used.
  • The WordPress wp_user_session code is here: https://github.com/WordPress/wporg-mu-plugins/pull/345 (It’s WordPress 6.2+, Includes memcache, is based off the WordPress.com implementation)
  • I have tested this on my own Trac + WordPress install, using both wp_user_sessions and no-session cookies.

#auth, #prio1, #trac

Remove/Increase showcase rate limits

The showcase currently has a rather low rate limit applied to it. Recently a new showcase design launched (Which included a rewrite of the backend), this should have brought with it a performance boost over the old areas of the showcase which caused performance issues.

The new showcase is reliant upon newer WordPress features, such as the Site Editor which is reliant upon the rest-api, currently these trigger 429 responses pretty quickly due to exceeding the rate limits.

Can we either significantly increase, or remove the rate limits on the showcase please? I would personally suggest removal of the rate limit unless the new design proves to cause issues as previously experienced.

#prio1 #nginx #ratelimit #showcase

Create wp20.wordpress.net

Please create a new site similar to WP15.

It needs to be done this week so it can be used for the SOTW

#prio1

Add proxy for samsuresh and unintended8

Sam and Juan are new Super Deputies on wordcamp.org, can you please add them to the proxy?

@samsuresh‘s key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC04wGyfPXUnAxye/lCZVSzUTmMOL+Tyk4HdAr96mtao++PaUefAKxPO2AA+MpRrXqwIWlEPSMD5BHj0kY0vNfEJfg+6Xygz3/3MSpeLygJFL64Y0jL4sbSb0x8f5ot6mcDNftxayFge0WibmAJ2dWN2YyS39GeCaAQWU14hq8ikrgHW55A03WmsHA9I+1ijQfzVpibyfMA9VQ+UbByZoEs/CP5jhwSekNyKXN0tzADToXZ14G+FlKVhLUORF6zhg3U5qPl8/fCNFIyVb/N9bdwEz7lrrInJAQxn10RbSuDsXd3IKyoK7+mgvrxCJUuNml1NYaIwRT0l4vFNRs+PJmXE/mHn09UpTvNpo2Hqe9+DzvZyB4beaPvqHmYExJGI75FiAnhxpmTZnzAASA1jBR2oKQHjMBEOcWp1T6xslPsK0v3T6E0IfiCEy0zrPr/IUO6nhvgJ24mBNS8FDHQNeWP5smsaah6VJR2RN+uY6QG61jBz7FA0Pz7RqY20l7c4Xc= sams@MacBook-Pro.local

@unintended8‘s key is:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqymAuM1vkZHq6JxXFOWDhQdTBYdBd67bIaNoq/XA5Z juan@ciudadanob.com

#prio1 #proxy #ssh

SSL cert expired for plugins-svn.bbpress.org

The SSL cert being served up for https://plugins-svn.bbpress.org/ has expired, looks like it’s using an old copy of the *.bbpress.org cert, that was updated in r14643 for webs but there’s a duplicate copy of for svns (See r11954 & r11955)

#prio1 #ssl

Remove user agent blocking for Firefox/100 & Chrome/100.0

Currently there’s some User-agent based anti-spam blocks (Primarily on tracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/. I think) that is blocking requests from Firefox version 100. I can’t see anything blocking Chrome 100, but that will also need to be checked at the same time.

% curl -Is https://core.trac.wordpress.org/ --user-agent 'Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0' | grep ^HTTP
HTTP/2 403

I assume we have something looking for Firefox/1 as a UA blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. for ancient-versions of Firefox.

Originally reported by @mte90 – https://wordpress.slack.com/archives/C0C89GD35/p1635254249000700

#prio1

Google Search Console domain access + Postmaster tools

A few of us have access to Google Webmaster/Search tools for https://wordpress.org/ and https://wordpress.org/, but we do not have access for the entire wordpress.org domain which would grant us access to https?://*.wordpress.org/ (ie. what we have + subdomains).

Additionally, The marketing team would like access to Postmaster tools for the email deliverability data, which also requires domain verification.

I can see that there’s two existing Google domain authorisations (dig +short TXT wordpress.org) but I’ve been unable to locate whose Google accounts have access to that when asking around.

Can I please have access granted to the domain-level Search Tools / Postmaster tools so that I can provide access to those who need it?

In the event that systems do not have domain-level access, here’s some instructions to get it:
1. Grant my a8c account verification access and I’ll deal giving those who need it; add wordpress.org TXT google-site-verification=RLa_vaBBembqlBHv2iGePxw7Cw2nQhbYjKLX7HWpSks (I’ll add systems a8c account for future uses. If option 2 is taken, I’ll remove this auth attempt from my account)
or
2. Visit Postmaster tools, Add a domain, get the TXT record and add it. Grant my a8c google account access + plus that of @eidolonnight to Postmaster + Search Console (Full access please). Verifying the domain for postmaster tools will also grant search console verification.

#prio1 #email #google

Theme Directory changes

The WordPress.org theme directory will now be accepting direct SVN access for theme updates. This means there’s two changes we need made on the systems side.

Everything else will remain the same for now, we’ll continue to accept ZIP uploads and apply the same theme checks on import. Initial theme submissions will continue to be ZIP-upload only, only updates will be available through SVNSVN Apache Subversion (often abbreviated SVN, after its command name svn) is a software versioning and revision control system. Software developers use Subversion to maintain current and historical versions of files such as source code, web pages, and documentation. Its goal is to be a mostly compatible successor to the widely used Concurrent Versions System (CVS). WordPress core and the wordpress.org released code are all centrally managed through SVN. https://subversion.apache.org/..

Dynamic SVN Auth file

The SVN auth file will need updated, similar to plugins:

  • Create a copy of update-wp-pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party-auth.sh & setup the cron task for it.
  • SVN Auth file is available at https://wordpress.org/themes/wp-json/themes/v1/svn-auth
  • Use Authorization: BEARER $THEME_SVN_AUTH_BEARER_TOKEN as defined in secrets.php

The file is currently minimal and only outputting a few lines, but will be ~25k lines when it’s opened to theme authors.
This can be tested by editing wp-content/plugins/theme-directory/rest-api/class-internal.php to either bypass auth temporarily or to output all authorship rules.

pre-commit ruleset for SVN commits

In order to prevent having to rebuild a bunch of things that are reliant upon themes.svn, we’d like to add some pre-commit rules to force commits to be in a specified format, rather than mostly free-form as plugins.svn is.

Rules:

  • Are always in a /Theme-Slug/1.2.3/ folder
  • Is a newer version than currently live
  • Does not alter existing versions (treat them as tags)
  • The /1.2.3/ folder matches the style.css Version:1.2.3 headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. value

I’ve put together some rules that work in my testing, but I’m unsure if there’s a different way you’d like to implement it. These were tested against my own SVN server mimicking svn.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ configuration.

#prio1, #svn, #themes

Create Openverse email address for Helpscout

The Openverse team wants an address openverse@wordpress.org to use with Helpscout.

I’ve created a mailbox within Helpscout for it. It seems that their connection setup has changed, and now in order to connect an email address on an external domain they send a verification code to that external email address.

I guess we can make this work by setting up a forward from openverse@wordpress.org to openverse@wordpress.helpscoutapp.com. Presumably that will let me see the verification code and complete the setup (though I can’t see what the next steps require until I get past the confirmation code). I’m open to suggestions for better ways to do it.

#prio1 #email