Dion Hulse 5:31 am on March 9, 2023
Tags: auth, prio2, trac ( 36 )

Upgrade TracWPCookies plugin

Currently WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ doesn’t use WordPress Sessions, this was for two reasons: 1) bbPressbbPress Free, open source software built on top of WordPress for easily creating forums on sites. https://bbpress.org. 1.x, 2) TracTrac Trac is the place where contributors create issues for bugs or feature requests much like GitHub.https://core.trac.wordpress.org/.

We no longer have any bbPress 1.x installations present requiring authentication, leaving Trac as the only barrier to enabling the usage of it on WordPress.org infrastructure.
Future 2FA work will require sessions in order to keep track of the authentication type and time since last-2fa-challenge.

WordPress uses user_meta to store the Sessions by default, but that’s not ideal for our usage (primarily due to PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. Serialized arrays needing decoding by trac python), so I’ve adopted the same table structure used on WordPress.comWordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largest multisite in the world. This is arguably the best place to start blogging if you have never touched WordPress before. https://wordpress.com/ for user sessions – wp_user_sessions

Here are two versions of the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, and a diff (GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ PRs) from present for code/security review if wanted.

0.2 – Supports user cookies with session tokens only diff .zip
0.2-transitional – Supports existing cookies, and future session cookies. diff .zip

Installation steps:

Define wp_user_sessions = wporg_user_sessions in the [wordpress] section of the existing Trac config.
Remove existing 0.1 version of the plugin.
Install 0.2-transitional, Existing cookies should continue to work.

At a future date when Session support has been enabled permanently on WordPress.org:

Remove 0.2-transitional and replace with 0.2
Existing cookies at that time should be all with Sessions, and so they’ll continue to work. Older session-less cookies will no longer pass auth.

I’m unsure on the timeline of when the transitional plugin should be removed, likely once WordPress 6.2 is released and the pluggable.php functions have all been removed.

Implementation notes:

The auth_salt and auth_key do not need to be updated during this process, as the tokenised cookies simply add an extra token value.
The cookie names will remain the same to avoid any other systems-related changes needing to be made.
The SQL introduces a join to an additional table for sessions, a const index is used.
The WordPress wp_user_session code is here: https://github.com/WordPress/wporg-mu-plugins/pull/345 (It’s WordPress 6.2+, Includes memcache, is based off the WordPress.com implementation)
I haven’t added user session caching into the Trac plugin as noted as an existing TODO. I’m not sure of the intention of the TODO as it notes not caching across requests, but the auth-check is only run once per request.
I have tested this on my own Trac + WordPress install, using both wp_user_sessions and no-session cookies.

#auth, #prio2, #trac

Dion Hulse 11:34 pm on February 13, 2023
Tags: lb ( 2 ), prio2

Load-balancers on IP Abuse database

https://www.abuseipdb.com/check-block/198.143.164.0/24

As reported in https://wordpress.org/support/topic/api-wordpress-org-is-on-abuseip-db-blacklis/ it looks like some hosts have been confusing outgoing connections to api.wordpress.org as being incoming brute-force requests, and reporting it as such.

It appears that some hosts/networks may be using this as part of a network DROP rules causing WordPress sites being unable to connect to the APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.. I believe this might be the cause of some past issues where .251 was inaccessible but .252 was.

Can someone from systems request removal, specifically for https://www.abuseipdb.com/check/198.143.164.251

#prio2 #lb

Jonathan Desrosiers 2:20 pm on February 9, 2023
Tags: prio2

Upgrade NodeJS/npm on the Build Server

Can NodeJS 18.x be installed on the build server with the paired version of npm (currently 9.3.1)?

CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. currently uses NodeJS 14.x, which will reach EOL on April 30, 2023. Work is underway for both Core and GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ to support 18.x (see Core Trac-56658 and this Gutenberg PR/Issue list). The changes needed to support 18.x are being made now with the aim of changing the actual version used in both locations prior the EOL date in a few months.

There are currently no plans to update older branches receiving minor or security releases at this time, so 14.x will need to remain on the server for the time being.

CC: @gziolo who I’ve been coordinating with on the Gutenberg side of things.

#prio2

Dion Hulse 2:52 am on December 6, 2022
Tags: connectivity, meta ( 6 ), prio2

IP connectivity problem debug request

As posted in #meta: https://wordpress.slack.com/archives/C02QB8GMM/p1670234270428419

I sorry if I chose wrong channel, but I’m having trouble accessing api.wordpress.org from multiple servers, like in these threads: https://make.wordpress.org/systems/2020/11/25/are-there-any-network-level-non-nginx/ https://wordpress.org/support/topic/server-ip-blocked/page/2/ https://wordpress.slack.com/archives/C02QB8GMM/p1605164522008700

For example 31.31.198.124. I can resolve api.wordpress.org, ping it – but not connect to 80 or 443 port: https://pastebin.com/r1B4PvPg
tcptraceroute to 80 and 443 ports: https://pastebin.com/qyQid5aB
tcpdump, GMT+3 time: https://pastebin.com/Tzd3JPMR

From another server (IP 31.31.198.122, same /24 subnet) everything is fine: https://pastebin.com/sHuCRkvG
Or, if i add custom route for 198.143.164.251 on the problem server, api becomes available: https://pastebin.com/1DnmeL1i , https://pastebin.com/hEKrWMwr

Looks like 31.31.198.124 is banned on api.wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ or something in beetwin blocking traffic from api.wordpress.or to 31.31.198.124. Can anyone check this?

Can systems please check, and for future requests, state how they’d like these to be raised when they come in? I didn’t want to just tell them to email y’all without you expecting it.

FYI @ilyaregru

#prio2 #connectivity

Dion Hulse 12:53 am on October 31, 2022
Tags: prio2, svn ( 29 )

IP blocked from plugins.svn?

Per https://wordpress.slack.com/archives/C02QB8GMM/p1666717073063339 it looks like two wordfence IPs have been blocked from plugins.svn.wordpress.org – other svn.wordpress.org hosts are accessible.

It appears they had an automated release process go wrong, causing the IPs to be blocked.

See the above SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. thread for IPs and backstory.

cc @wfscottb

#svn #prio2

Dion Hulse 11:24 pm on October 12, 2022
Tags: meta6530, nginx ( 15 ), prio2, redirects

Redirect request: {ios,android,iphone}.wordpress.org

Per #meta6530 can we please update the redirects for these subdomains to use the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ mobile landing page instead of the WordPress.comWordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largest multisite in the world. This is arguably the best place to start blogging if you have never touched WordPress before. https://wordpress.com/ landing page?

Diff form:

Index: wporg-redirects.conf
===================================================================
--- wporg-redirects.conf	(revision HEAD)
+++ wporg-redirects.conf	(working copy)
@@ -120,7 +120,5 @@ server {
 	server_name android.wordpress.org ios.wordpress.org iphone.wordpress.org;

-	rewrite ^/development/? https://apps.wordpress.org/contribute/ permanent;
-	rewrite ^/faq/? https://apps.wordpress.org/support/ permanent;
-	rewrite ^/(.*)$ https://apps.wordpress.org/$1 permanent;
+	return 301 https://wordpress.org/mobile/;
 }

If wanted, we can move this redirect from nginxNGINX NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. https://www.nginx.com/. into PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php..

#redirects #nginx #prio2

#meta6530

Dion Hulse 12:24 am on August 3, 2022
Tags: downloads, prio2, ratelimit ( 2 )

Relax rate limiting for downloads.wordpress.org/plugin-checksums/

It appears that the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party checksum download endpoint has had some rate limiting added, which is affecting clients of that endpoint.

See https://github.com/wp-cli/checksum-command/issues/91
See https://wordpress.slack.com/archives/C02QB8GMM/p1659451832035669

The legitimate uses of the endpoint do result in the checksums of all plugins on a site being requested in a short period of time. I’m unsure if clients avoid requesting 404 urls or only 200’s.

#downloads #ratelimit #prio2

Tellyworth 6:55 am on April 22, 2022
Tags: email ( 21 ), helpscout ( 4 ), prio2

Email forwarder hosting@wordpress.org for HelpScout

Can we please have an email forwarder from hosting@wordpress.org to hosting@wordpress.helpscoutapp.com

Ref: https://meta.trac.wordpress.org/ticket/6226

#email #helpscout #prio2

Tellyworth 4:32 am on April 22, 2022
Tags: email ( 21 ), helpscout ( 4 ), prio2

Email forwarder reports@wordpress.org for HelpScout

Can we please have an email forwarder set up from reports@wordpress.org to wp-project-reports@mu.helpscoutapp.com.

This is for some upcoming code-of-conduct stuff. I’ve set up a mailbox on the helpscout side (this is in the WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more./Foundation HS instance).

cc @angelasjin.

#email #helpscout #prio2

Brandon Kraft 6:49 pm on April 11, 2022
Tags: 55395-core, cdn ( 6 ), dotorg-svn, emoji ( 3 ), prio2

Commit for images/core/emoji Could I…

Commit for images/coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress./emoji

Could I get commit access for dotorg’s image/core/emoji directory to add me to the folks who can upload new emoji assets?

When twemoji updates to new versions, in addition to the Core patch (e.g. #55395-core ), we need to upload to assets for the CDN to distribute.

We can continue to do the past way of bugging folks with commit access, but I’ll be joining as an Emoji component maintainer and I already have partial commit access elsewhere.

cc: @desrosj

#emoji #cdn #dotorg-svn #prio2

#55395-core