[05:24:37] I mean, if we put a "mh plays pokemon" as our new hcaptcha solution, I wouldn't complain. [08:13:03] <.labster> I've decided I want to get WikiForum to a reasonable level of security, which involves a large amount of rewriting. [08:13:18] yippee [08:14:28] <.labster> Do we like using Html::element functions everywhere, or not everywhere if it's HTML with no interpolation going on? I've never written something so frontendy for MW. [08:15:14] <.labster> so far all I have written is https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikiForum/+/1109925 , which is the lowest of bars. [08:15:49] <.labster> I keep writing other things, then I notice deeper problems in the fractal of Ashley Phoenix [08:16:05] imo, you should use Html::element everywhere [08:16:20] and that's why i bailed out on the security review so early after identifying potential problems [08:16:27] like [08:16:33] imagine seeing the fix to a csrf [08:16:50] you'd think "okay, so you add the edit token to the request, and check it on your end" [08:17:08] meanwhile ashley went and moved it to an api module so that mediawiki core does the edit token check [08:17:23] <.labster> I can't even follow the logic sometimes there's so much HTML interpolation going on, functions with 10 arguments. [08:17:35] oh, and iirc it's not output-side escaping [08:17:51] so you can be left at a guess of "is this plain text or is this html" unless you check every single suspicious instance [08:18:01] <.labster> Yaron was like "Yay, WikiForum is fixed, throw it in Canasta!" and I'm like "hold up bro" [08:18:59] <.labster> the underlying design is really not terrible, it's just all UI/XSS problems. [08:19:14] agreed [08:19:36] the classes store the raw sql result instead of parsing it out, which was kinda odd but i'll allow it [08:19:46] oh, and [08:19:56] <.labster> Like, in contrast to Flow which ostensibly does the same thing, but is so complex even the WMF can't understand it. [08:19:59] getUrl() returns a url that is safe for html-inclusion via htmlspecialchars() [08:20:22] <.labster> yeah I murdered that already, somewhere in git stash. [08:20:27] thank you [08:20:46] if you can unfuck the api for csrf protection part, i'd be grateful [08:21:12] <.labster> Honestly the hard part is not making it one giant unfuck-this-extension patch [08:21:23] <.labster> Gerrit is kind of constraining that way. [08:21:27] ah, yeah [08:21:36] imo, the one time a pull request model is nice [08:21:46] (i actually prefer gerrit over the PR model lol) [08:22:24] actually, what about git request-pull [08:22:26] https://git-scm.com/docs/git-request-pull [08:22:48] <.labster> Gerrit is much better than I thought a year ago. I've somehow become the Gerrit guy at $dayjob, since I actually bothered to do the steeper learning curve. [08:23:30] the one shortfall of gerrit is that it doesn't really make it clear that all comments are in "review mode", so to speak [08:23:53] at least that's for me [08:24:03] <.labster> look at gerrit dashboard, realize you forgot to click reply a month ago. Yeah. [08:24:08] oh god lol [08:24:32] unabandon a change, realise that you forgot to readd the change to the reviewers' attention set [08:24:51] <.labster> as I said, learning curve. [09:25:29] Gerrit is obstensibly the worst software to ever exist [09:25:49] It would be 110% improved if they tidied up the UI. [09:26:11] the two types of gerrit users [10:23:09] @.labster: should we assign a public task to you for making Wiki Forum not make us cry [10:23:44] I agree with OA too [10:23:55] Gerrit is awful [10:24:56] <.labster> I certainly have some love/hate feels for PHP as well [10:25:13] tfw false casts to "" [10:25:34] and true to "1" [10:25:56] and "0" is falsy, why- [10:26:14] I also despite slack [10:26:17] <.labster> I’m from Perl so that all seems normal to me [10:26:18] Despise [10:26:19] I do not accept any negativity towards PHP [10:28:45] <.labster> I think my next goal will be to kill the static methods in WikiForum. Modern MW needs the class state. [10:29:28] Well actually I despise the governments setup of slack [10:30:56] https://github.com/wikimedia/mediawiki-extensions-WikiForum/blob/master/includes/WFCategory.php#L159 why is there no visibility on any of these functions lmap [10:33:22] because yes [10:33:28] what's the default function visibility? public? [10:34:00] Yeah [10:34:11] :p [10:34:11] But theres some functions in there that should be private imo [10:34:13] ¯\_(ツ)_/¯ [10:36:22] <.labster> Honestly I miss Perl’s version: all methods are public, but if you mess with the ones beginning with an underscore, on your own head be it. [10:37:36] python [10:37:51] and javascript if you're not doing classes [11:54:10] wait [11:54:14] my brain has just done some processing [11:54:17] oh fuck my ass [11:57:35] originalauthority: are you up for updating the extension for https://issue-tracker.miraheze.org/T13063? [11:57:40] accidentally made it public for around two minutes... [12:02:45] for 152 seconds, or ~2.53 minutes [12:19:43] RhinosF1: anyone with mw server access online for ^? [12:48:01] @reception123 [13:16:57] I'm not until a bit later [15:38:41] BlankEclair: should be updated now [15:39:07] reception123: ty! can you make it public? ^^; [15:39:32] hmm, you didn't update mw 1.43 [15:39:52] oh right, doing now [15:40:07] do you know a wiki that has it enabled so I can check version and make extra sure it's updated? [15:40:52] PTW lol [15:41:12] i wanna go to eep soon [18:35:25] what? [18:35:43] ? [18:35:50] Not sure whats confusing aboutnthat [18:36:37] I quite like Gerrit and prefer it to the likes of github and gitlab. The UI is better. The only thing github has going for it is the better ui for browing the repository otherwise it's model is quite crap. [18:36:41] Oracle Fusion is the worst software ever [18:36:51] Gerrit is better than Gitlab [18:36:55] But GitHub is better [18:37:11] WMF's gitlab and the entire gitlab joke is an example of how not to do shit [18:49:50] <.labster> This is turning into vim vs. emacs 2.0 [18:50:09] <.labster> Which is surprising because vim is obviously better [18:50:09] Oracle fusion is undoubtedly the worst software ever [18:50:24] There is seriously not a feature in it that ain't buggy [18:50:53] <.labster> There's one thing that Oracle software is really good at: being sold to enterprise [18:51:17] Well ye [18:51:28] <.labster> But how bad is it on a scale of 1 to Jira? [18:51:52] 10 times hits [18:53:35] <.labster> That's reasonable. One place used ServiceNow as a bug tracker when it's really a support ticket tracker, I was so relieved when we went to Jira, it was easily a 3xJira experience. [18:54:34] My only probably with Jira is my setup has broken ipv6 dns [18:54:39] Which results in random timeouts [18:54:47] But no one owns the dns layer [18:54:56] @.labster service now is annoying as fuck [18:55:24] <.labster> amen brother [18:55:51] Why can't it just fucking tell me what team / person is assigned to my call [18:56:04] So I can see when the idiotic agents send it to the wrong queue / site [18:56:30] <.labster> Jira is fine but every so often Jira + Firefox decides to eat all of the memory on my system, and if I don't catch it fast enough I need to reboot. Very important to close Jira tabs overnight. [18:57:33] That's not good [18:58:00] Service now at work is so confusingly complex [18:58:18] But I think most of my issues with it are implantation [18:58:31] It's annoying as fuck though [18:58:43] We deployed it and then ran out of money to finish it and fix bugs [18:58:55] <.labster> It has, thankfully, been the better part of a decade since I last touched Service Now. [19:00:17] I have it every day [19:00:23] Well a half deployed buggy version of it [19:00:35] <.labster> So a normal version then [19:01:00] That doesn't fill me with hope [19:04:24] @.labster I suspect we'll bring updates to make service now differently shitty once we transition our IT provider [19:04:35] We're moving on the 1st march [19:05:50] <.labster> I hope your IT provider likes their new gender better [19:07:40] @.labster we're splitting our IT contract in half [19:07:51] So I suspect it'll all fall apart [19:08:16] It'll be the other companies fault [19:08:19] Whatever it is [19:08:32] Even the colour of the sky [19:10:53] <.labster> Honestly I want to know which energy company I can blame the current color of the sky on. Too orange for comfort. [19:13:49] We can just solve this entire problem [19:13:55] Miraheze starts contracting to the government [19:14:01] Problemo solvedo [19:41:51] UK Gov uses bluespice [19:43:06] Why am I not surprised [19:43:34] I hope they at least self host [19:45:13] My department definitely do [19:45:26] UK gov data should be 100% in the UK [19:45:43] Yes, id be pretty pissed if they were paying for Bluespice [19:47:10] @originalauthority I suspect we pay [19:47:57] I'm less pissed if they're paying for support (although, surely they have enough technical knowledge to understand how it works, but whatever) but if they were paying for hosting that would be annoying [19:48:39] @originalauthority you still need a license for most of bluespice even if you self host [19:49:15] oh really? [19:49:20] ludicrous [19:49:21] @originalauthority ye [19:49:28] There's a free version [19:49:39] But there's a fair few things not in it [19:53:59] that are in core? [19:56:10] I guess the wikifarm one might be useful, mediawiki sucks at native WikiFarming [19:56:22] even the WMF suck at their attempts to do it properly [20:06:49] WMF do things properly? [20:09:39] @urbanecm can I get a 2O? [20:46:43] [1/2] this nearly gave me a stroke wtf [20:46:44] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1328465276261503067/Screen_Recording_2025-01-13_at_20.45.08.mov?ex=6786cd33&is=67857bb3&hm=fd0e44a001ca34e2e05b0fdb8896207abe5eaa4ef3fd8ccfde76c9a2c8b86949& [20:48:52] [1/2] also why is /d spamming my console with this shit lmao [20:48:52] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1328465816038932532/Screenshot_2025-01-13_at_20.48.40.png?ex=6786cdb4&is=67857c34&hm=3cdca7419b22fa078e2025c1191179d6776069cce48937b62ae0197455c923a6& [21:00:33] Why [21:00:35] Why [21:00:51] something to do with google tag manager apparently [21:01:54] Calling you a silly rabbit? [21:03:45] [1/2] so i believe [21:03:45] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1328469561430769735/Screenshot_2025-01-13_at_21.03.38.png?ex=6786d131&is=67857fb1&hm=2ebef6919971864fa9f2c96d9dcfacad18848e6d6b39e7fb8eff6291013a1bb5& [21:06:27] Right [22:32:13] <.labster> console.debug("Oh, I see you opened the console... very interesting");