[08:08:45] <_joe_> I agree with bd808 FWIW, I don't think it's worth the effort or the maintainability cost of using a debian package, unless those templates never change [08:20:40] although it may be nice for people to clone our repo on windows so they can view it, its worth stating that our puppet policy will not work on windows, in fact its highly unlikley to work on anything but debian. however i think that our puppet policy should be clonable on systems with a case-insensetive filesystem as many of our engineeres use a mac. [09:12:05] <_joe_> jbond: osx filesystems have been case sensitive for the last few years unless I'm mistaken [09:12:27] <_joe_> and I think even before it defaulted to HFS+ which was case sensitive [09:12:41] _joe_: ahh ok been a while since i used a mac [09:12:58] <_joe_> I figured :D [09:13:43] :) [09:45:55] ls [10:17:57] <_joe_> no suck file or directory [10:20:43] on a new macbook here, and it's case INsensitive :/ [10:21:05] you can choose case sensitive when formatting a new drive, but the default is still insensitive [10:21:23] <_joe_> uhhh I guess I always did that at installation time heh [10:22:09] I was always too scared of something breaking in silly ways if I did choose it :D [10:22:32] in this case, I didn't format it myself, it's how it came from Apple [10:33:11] <_joe_> well then apologies jbond I misguided you. My macs were case-sensitive since a long time, and when I moved to AFS it just picked up the fact I was using a case sensitive FS [10:33:47] <_joe_> but the apple developers portal clarifies that the FS is case-sensitive by default only on iOS [10:35:56] :) np, and thanks for the clarification [10:36:20] <_joe_> although [10:36:24] <_joe_> "APFS accepts only valid UTF-8 encoded filenames for creation, and preserves both case and normalization of the filename on disk in all variants." [10:36:55] <_joe_> so the fs is case-sensitive, but offers a case-insensitive interface by default, interesting [10:50:43] intresting, although the most still prevent something like ` touch {F,f}oo` if only for UX sanity [11:18:06] <_joe_> https://arxiv.org/pdf/2208.01242.pdf talks about our puppet codebase [11:19:33] <_joe_> I'm not sold *at all* about their results [11:19:44] <_joe_> specifically looking at code examples from our repositories [11:20:05] <_joe_> still it seems interesting, we could contact them and see if they're open-sourcing their tool [11:20:29] <_joe_> kudos to miriam for pointing me to the paper [11:21:54] _joe_: thanks, have a interview in 10 mins but will check it out afterwards. its something i have wondered abouyt my seld so definetly intrested [14:16:41] _joe_: fyi the tool is published here https://figshare.com/s/30a15335e471dfbb2075, no licence unfortunatly but ill give ti a run and see what it spits out. Curious who from WMF ansered there survey. I also notice in the paper they talk about tracking variable mutation which shuldn't strckly be needed, so may be able to simplify. its also not clear from the paper if they also used the public hiera [14:16:47] data (for discolosed/blank passwords etc) [14:17:14] <_joe_> I'm 99% sure that most of our things are false positives [14:17:46] yes me too [14:17:55] <_joe_> and yes, I'm also curious what their survey looked like [14:18:14] suyrvey quetions are also at that link [14:56:15] Is there a way to get a 302 redirect out of redirects.dat for MW? [I think no, but thought I'd ask] [14:56:27] seems like it only makes 301s [14:58:06] bblack: no, seems like 301 is hardcoded here: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/mediawiki/lib/puppet/parser/functions/compile_redirects.rb#366 [15:24:06] <_joe_> yep [15:24:21] <_joe_> bblack: what do you want to do? [15:24:37] <_joe_> bblack: we could add a new verb to that DSL [15:24:41] <_joe_> but I'd do without that [15:55:59] _joe_: my concern was a that a 301 is sometimes over-cached in UAs, if it's a known-temporary case (in this specific case, a temporary redirect for wikifunctions.org until the project is eventually live, at which point it won't be a redirect anymore) [15:56:16] but I can also just do the one-off temporary 302 in VCL instead of redirects.dat [15:57:22] <_joe_> being a new domain, I assumed it'd go to ncredir [15:58:13] well ncredir is for non-canonicals. in this case we're dealing with the first stages of deploying a new canonical [16:26:19] _joe_: re: the taintpuppet paper, i have uploaded the results to https://phabricator.wikimedia.org/T315093, i have not looked at it yet, its all cvs files ... [16:26:47] <_joe_> ofc... [16:27:12] yes i know .... [16:30:31] <_joe_> looked at the supposed worst offender, it's all false positives [16:32:00] <_joe_> ditto for the second... [16:33:25] <_joe_> I should add - it's reasonable false positives at least in the first file [16:40:04] ack as suspected, thanks [17:39:27] i just checked and 99% of the HARD_CODED_SECRET relate to user parameters on some resource, including core resources like exec, 67 of which seem to relate to settng the owner parameter on file resources, we user the owener parame way more times then 67 in the repo so will need to dig further to see why but it may be related to the file path name e.g. config.ini.php is there a few times [18:49:45] so.. I am "at Wikimania".. trying to join the virtual hackathon or something [18:50:15] (https://wikimania.wikimedia.org/wiki/In-person_events are happening too) [19:24:22] https://wikimania.wikimedia.org/wiki/Hackathon/Schedule < Jitsi Links in column headers mean you can listen in without the Pheedloop [19:30:15] starting in a minute should "how to organize a local hackathon". Jitsi in browser working great. Wouldn't mind using it for team meetings as well.