*
*
Interesting take on Brexit - awesome ... A de facto European "dictatorship" is falling with this British vote? ... is this the dictatorship of a money-centric EU (and re Yonatan Zunger's post below) ... and re identity questions in an information technology world ...
https://twitter.com/TheOpenBand/status/746426005867233280 ...
*
*
*
*
*
*
*
*
https://twitter.com/GerdMoeBehrens/status/746245873680650240
*
European SUPERSTATE to be unveiled: EU nations 'to be morphed into one' post-Brexit
http://www.express.co.uk/news/politics/683739/EU-referendum-German-French-European-superstate-Brexit
*
Angela Merkel surprised by massive protest march against TTIP in Berlin
http://www.businessinsider.com/r-hundreds-of-thousands-protest-in-berlin-against-eu-us-trade-deal-2015-10?r=UK&IR=T
*
*
*
*
*
*
*
*
https://twitter.com/jpalfrey/status/746192089805819910
*
https://twitter.com/_athinak_/status/746404081611202560
*
*
*
*
*
*
*
Thanks for the heads up about Brexit when we last met! :)
I
hope WUaS can slip in with major online Universities in each of those
Western European countries and languages even as these nation states
seem to engage in a form of statism to the EU's federalism ... or is it
all about Anglophone identity (English) .... with an England-Canada (among many)
transatlantic song finding new trading form for example? :) And will
Scotland be able to veto Brexit or will there be a new referendum soon
turning Brexit on its head. Vanguard Mutual Funds' take was interesting
as well (see my paraphrase on this in the blog:).
Cheers,
Scott
***
[14:04] <jzerebecki> a retrospective on a grave security bug
[14:04] <robla> gwicke felt like the first couple of steps of this RFC are really clear, but believes subsequent steps deserve more discussion (gwicke, please correct me if I have that right)
[14:05] * robla looks at jzerebecki's link
[14:05] <jzerebecki> "The issue went undetected during pre-merge review. To avoid situations like this in the future, we are concentrating on development of more comprehensive automated testing. Our verification tests now perform a series of additional security checks,"
[14:05] == mhurd has changed nick to mhurd_afk
[14:05] <jzerebecki> " We have also taken the opportunity to introduce stronger image validation during the system image build process, automatically flagging packages with reported security issues. We will also ensure that security-related changes are accompanied by appropriate tests."
[14:06] <gwicke> the first steps of the CSP RFC are low consequence preparations / information gathering, which I think are pretty uncontroversial
[14:06] <robla> jzerebecki: oops, I only just figured out you were talking about postmortems. Excellent, thank you! :-) I thought you were talking about the CSP one, and I suspect gwicke is commenting on that.
[14:07] <jzerebecki> ah yes that CSP seems like a worthwhile thing on first look is pretty uncontroversial
[14:07] <TimStarling> where should the reports go?
[14:07] * robla gets his 6-digit numbers confused
[14:07] == parent5446 [parent5446@mediawiki/parent5446] has joined #wikimedia-office
[14:07] <bawolff> TimStarling: The CSP violation reports?
[14:08] == Guest28362 [~Dstrine@tan2.corp.wikimedia.org] has joined #wikimedia-office
[14:08] <TimStarling> sorry, I am one RFC behind, the retrospective reports for security incidents
[14:08] <robla> TimStarling: I'm not sure. I could be convinced of either wikitech.wikimedia.org or mediawiki.org
[14:08] <bd808> TimStarling: I think that's a good question. I'm a bit concerned that the current logging pipeline may melt with them being processed by an action api endpoint.
[14:08] * bd808 is on the wrng topic
[14:08] <TimStarling> yeah, I'm sure it was a good comment for any RFC
[14:08] * robla fails at chairing
[14:09] <robla> #topic T123753
[14:09] <brion> :)
[14:09] <bawolff> I actually have a response to that question, but I'll wait until we get to that rfc
[14:09] <robla> (we'll spend no more than 10-15 minutes on this one, and then move to the CSP one)
[14:09] <brion> ok do we need things like: where do the reports go ;), how long before they get made, etc
[14:10] <robla> #action robla propose a location for where reports go
[14:10] <Platonides> I think wikitech
[14:10] <brion> and if a report falls behind, do we need a fallback path?
[14:10] <Platonides> some would be suited for mediawiki too, but others will be wmf-specific
[14:10] <brion> eg who gets poked until it gets done ;)
[14:10] <brion> or who does the poking, alternately
[14:11] <jzerebecki> I think the most controversial thing on security incidents or even incidents reports in general is how to ensure that the actionables are done, as in being funded.
[14:11] <robla> brion: I think it's sort of a percentage score thing. Some reports may never get done, and that's ok
[14:11] <bawolff> What sort of actionables do you have in mind?
[14:11] <brion> jzerebecki: ah for 'next steps to prevent this crap from getting worse' vs just 'and here's what we did to fix it so far'?
[14:12] <jzerebecki> brion: yes
[14:12] <bawolff> There's a big difference between - introduce automated testing for this type of security issue, vs fix the XSS in particular
[14:12] <bawolff> *this particular xss
[14:12] <bawolff> or whatever the issue is
[14:12] <robla> I think postmortems are still useful even if we don't have anyone slavishly enforcing "strict adherance" to the process
[14:13] <gwicke> the thing I keep wondering about when I look at this RFC is how security and performance post-mortems should differ from regular outage / incident post-mortems
[14:13] <robla> gwicke: they should probably be more same than different
[14:13] <Scott_WUaS> (@jzerebecki and security-oriented Wikidatans - what planning is occurring in terms of MIT-informed bitcoin and blockchain and in all countries' main and official languages - and re code security ... as well as, to re-construe the word "security" a kind of financial security for WMF and Wikdiata, for example?)
[14:14] <bawolff> what?
[14:14] <gwicke> robla: would it make sense to rephrase it as a refinement on post-mortem policies in general?
[14:14] <jzerebecki> bawolff: robla i agree that postmortems are useful anyway
[14:14] <gwicke> what works well / what doesn't, proposed changes etc
[14:14] <robla> I think we've really handled as much of this topic as we should. Let's take further discussion back to Phab on T123753, and discuss CSP
[14:15] * robla goes to find the CSP task num
[14:15] <robla> T135963
[14:15] <robla> #topic T135963
[14:15] <Scott_WUaS> (@bawolff - Is there any planning with the WMF Foundation for possible engagement with MIT's Bitcoin and Blockchain - and re security?)
[14:15] == tarrow [uid11206@gateway/web/irccloud.com/x-wuiqgqkgbvqtzfui] has joined #wikimedia-office
[14:15] <robla> Scott_WUaS: probably not a great topic for this meeting
[14:15] <SMalyshev> re CSP, is this supposed to be configured somehow in wiki settings?
[14:16] <Scott_WUaS> (@robla - thanks)
...