SSH access to

Could I please have SSH access to the site? I need to setup “thank you” emails for donations.


Potential Abuse of “Email Personalized Schedule” Feature

r6268-meta adds a new feature where WordCamp attendees can bookmark sessions on the schedule that they want to attend, and then e-mail themselves their personalized schedule (per #2733-meta). The feature is aimed at attendees, so it doesn’t require logging in to an account.

Screen Shot 2017-12-13 at 2.51.12 PM

The email portion of that is temporarily disabled, though, so that we can discuss the potential for abuse, and any necessary mitigations.

As far as I can tell, there are 3 primary scenarios for abuse:

“Dumb” bots

These are the ones that just search for any

they can find, and POST spam content to it. These shouldn’t work at all, since the
doesn’t have an action; instead, JavaScript traps the click event and sends the request to the REST API. Even if the bot tried to POST the request to the current URL, that still wouldn’t trigger the handler.

“Smart” bots

These are advanced enough to be able to interact with the DOM. I still don’t think these would work, because the handler returns early if no session IDs are passed. In order to actually send an email, the bot would have to star a session, meaning that it would have to be tailor-made to this particular plugin.

I don’t think anybody would go to that much trouble, since they could get much more impact for far less effort elsewhere. They wouldn’t be able to send any spam content, all they would achieve would be annoying the recipient, and hurt our server’s spam reputation. Annoying the recipient could be done more easily with millions of web forms that don’t require any complex interactions. Hurting our server’s reputation is plausible, but still seems very unlikely.

That doesn’t seem like a compelling enough reason to burden the user with a CAPTCHA, or to take up our limited time and introduce non-essential complexity with a rate-limiter.

A human manually submitting the form

This is essentially the same as a “smart” bot; the costs seem to far outweigh the benefits.

If we get any reports of abuse, or notice our mail server being blacklisted, then we can definitely temporarily disable the emails with email_fav_sessions_disabled() and work on a fix, but it seems premature to do anything right now.

Waiting until there’s actually some sign of abuse saves us the opportunity cost of spending time on a feature we’ll probably never use, and it also puts us in a better position to correctly fix the abuse in the unlikely event that it does happen. Right now we’re just guessing at how it might be abused, but if it does actually happen, then we’ll know the details and will be able to address it directly.

What do you all think? Do you all have any objections to turning it on?


Node.js 8.x on build server

Hi, as per #3320-meta could we please have a Node 8.x LTS release installed on
This will be needed for WordPress 5.0 & Gutenberg (once merged) build scripts to operate.

Currently we have a 0.10.x & 6.9.x release available in the nodejs-base role.



Cache corruption issue

Something is causing the Credits API results cache to be corrupted – I’m assuming a job somewhere is triggering it, but I have no way to track it down.

Are you able to find out what is writing to the props-4.9 key in the core-credits-api cache group?


Incorrect Return-Path on mail from

The Return-Path is currently set to, which may be contributing to emails getting marked as spam for some recipients. Relevant headers from one such email:

Received-SPF: Neutral ( is neither permitted nor denied by domain of ) client-ip:
    spf=neutral ( is neither permitted nor denied by domain of
Return-Path: <>
Date: Fri, 20 Oct 2017 12:20:46 +0000
From: WordPress <>

This same issue has come up before (1, 2), and it appears that the Return-Path was changed at that time, so perhaps it was somehow reverted at a later date?

cc @stankea


Hi, can you please setup…

Hi, can you please setup proxy access for @casiepa? As a polyglots mentor he’ll be helping out with managing rosetta sites and will need access to the network.

His public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvMct8ARk0CEftQLiMZETj2Ndsk6Ns7sFaq6iLGybf2hFXNRY9rHSeZIACzlBoFm7UwKp9FCBbYW/ead4xVV3XaX20UeF2JB5TtlJ7mdQK9Rdd0NQq60EL5pNmPHKbOf2gHuULovuU/CzzUw/MGUxk8HIpRa+x9WdXsDjmsMF7Y5x/a4w4nypvojKh1YTT7VfH8s9c7buy5S0G8VZr+e/wqPKwl5BoSTuxGPxk5vsFYzJ7gSVkUGNMU62h/MP6c5QeP4KqzdhdsVOe04HWGrC37IkFRblUnHieYWoK9EIKUCkQwqXMOOlrID0Ll8JcbuN0E3LsUGLjb8+5fhBXECshl7nIfhbSL+1zhrEoibDH1Nvcxe96Xaj4OqObh4AZIS4aQNumtMZV56D5bpFzs47QXa3dzml8Nv6eEChUcZMzm0duxV1wteNeteSTgNkrFRoaqBUsb/n35iwgQZ0l7ulzjB79ZCz1ufp9HUQn1F0JGDjasyPupJzBBurhROcb1PNc5+nBB1UGQsSdWkUSTavLpgyZBPN4O8s05FxOduYcBxcZrl78eQECHVDE3vHlOMxCZO26L8FsAfVRCopCEDAyHlnqSvtYbjmZvq7ynE9dy+ABfFYQxhp1zJMo8dXPEuzsckzaViTOyaTr13paWEP3QRJJPlpjL0emsB/oVZ0i4Q==



Hi, can you please setup…

Hi, can you please setup proxy access for @coachbirgit? As a polyglots mentor she’ll be helping out with managing rosetta sites and will need access to the network.

Her public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLEeqcc5blku3s2AS5hvwF7yYVb6pAzbpx3Dg8a2a3RbxNXIIb21099UB6vCwtFqu0en8cU3S944KsDJ69H39B3y11qndjKy2TnH+a8N7TgBfFBQ5yOClAAUHKg/PwIiZyF1AXpmUBHr9OSPHrSsSrOcpfxDnbR9bcxPambP2G8T1eLgxuL+EMwvHZyg1ELDbr8+Ns/OtaHdx1ps0gVT40F5FyeBZLxNtCGDqpTg+KP0feAgHLu2S/EL/tNhhXLqfIiF07WBc5QpqyVhovcuKH7D2IzPmNeyPoTisMIq27kRh2MRbhhm6UAqL89rws3HqpunEPayKXv8NtbzjBAQvyeSkiF7Lyxwhn2fhKn5LyEI7qsRjdfTGRQVayLklyyPYPDpt3ljdxjf/AqIRAZz8g+80ZDIWtrORCIU8VybzUNpL9jgq37xVTcKRQS3NtVskPJRQa83Pv0FyF+pVQIrsIfOWpWcUNqBtMoj3pBv0vtqGl/M8JTLBzBgK68/DDg3Igq1Zj9NCYRyrkkPTcluuWwkNfn1XPzOrI1N68upksbUkby1ivmd5L8XChWdyhM97GTejvJFCTvzHlMLGDFZ40XYPPdW2GjO5igWjRu+6hgNVVqtk8ZrvlRjxvYygULk7U7olwAwCFSE25OejojdSBaYdcIbkXpS17cj6mwXWZQw==



Could you please make a…

Could you please make a sandbox for @sergeybiryukov? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUu7co8f4xxOAtN4AASut9N64MhOIDuHGUzJMr29yTU4OY4SfLaAmnOYggUqBO9dWUNo6dtNcqqSdF8A4lpUdkk5JTkrXHsu1Ah+EjchdnOCffJYRBdHI+x6esL9gIS31VANkmoMMc+PVf5PP+E0rXSUoop2nwHR5RUKqSYafKXs5KRgU9l35Zwc48swPbq0X+swx19MMOtsdZzSKrcOdVJntn9z+WN2YyqobE3v15/uqaRzcTrcn6EPwVWsHY8xMfsIVFlHDMtnXSw25gSCcQWkGg0LAb//LNGY0bzDgBO9NW5+TYnKUTETES//S+haFNzy6kSULaH5KiXmOXlWWxWiDhXccNdKnCU4yuyYcZfMOUWZInDSlnwlYCDFpA71o6wfpLnO2w8NWUcpK7GLKX/qbOBox0pAsskxIRnEpxSUnd0J1eQrfAQzJuy5cgZrrGJlyVsFJWW18njYY0D6h4806JaHiX2wGSA6f7LfMEKA315B2OcFsfpDIwBXsfqYBgcB+DVrPU6qoSRz2T1+XBumZHIUVdrx5FqA8bWEvWt4IWJ4jp3KbRjqF33ug3u79GV3HG6t69Jv0NdfR8wi4JdLmtvYKQ0W7mEGhlRONKcMoRfP2aU74AHUJSJl6f7eOlOTF6hep6n0SzCXfYsneGqbzY84ElKfMt4267hR7FUQ==



Per a report, we need to get HSTS setup on The alternative being setting the secure only flag for the auth cookies.


Update Public Key for Paul Gibbs

Could someone please update the proxy key for @djpaul?

The public key is here: