MediaWiki 1.19 hasn't received security support for 3 years

[spinda]

I was talking with a MediaWiki developer today and mentioned that https://wiki.haskell.org runs MW. He pointed out that it's still on version 1.19, which came out over six years ago and was EOL'd from security support three years ago. Looking at the CVE page, there are some XSS issues and a CSRF attack, but nothing too major. Still, I think it would be good to migrate to a supported version if possible.

[mignon-p]

I agree this would be a good idea, and it would solve another problem at the same time (#6). The only reason I'm hesitant is because I'm new to maintaining the Haskell wiki, and I'm afraid I might break something. But I'll look into it.

[legoktm]

Hi! I'm the MediaWiki developer that @spinda mentioned.

Typically I'd recommend just dumping your database and cloning it with a new webroot with the 1.27 (LTS) files for the proposed update, but it seems like you're using the system Ubuntu package of mediawiki, so that may not work. Could you spin up a new VM or something for testing? I maintain official packages of MediaWiki 1.27 (https://www.mediawiki.org/wiki/User:Legoktm/Packages) for Ubuntu/Debian that can be used.

Usually the biggest issue with upgrading is custom code and live hacks. Is the code for the Hawiki skin available? I can help with porting it to be 1.27-compatible. Do you know if there are any live hacks/patches to the core code?

HTH.

[mignon-p]

@gbaz, could you comment on a few things:

• Is it possible to spin up a new VM for testing?
• Do you know the answer to whether there are "live hacks" (I don't even know what that is) or patches to the core code?
• How would you feel about giving @legoktm access to the wikiadmin account that I created in #3 so that he could look at the Hawiki skin in particular and look at our whole installation in general?

[gbaz]

cc @thoughtpolice who did some of the initial setup on the box and also @relrod.

on a new vm -- yeah absolutely we could spin it up.

I don't think there's much in the way of patches to the core code, or anything. The things I know of are custom config stuff I pointed to for the <haskell> tags, and the wiki skin. But neither is a "live hack" I think?

And I think its fine to give @legoktm access -- the offer of help is certainly welcome!

[mignon-p]

@legoktm , if you send your ssh public key to me (code@funwithsoftware.org), I can add you to the wikiadmin account so you can log into the server and poke around.

[legoktm]

Email sent. Do you think we could put the Hawiki skin in a public git repo and license it under an OSI/FSF-approved license? That would make it a lot easier to work with.

[legoktm]

And I started working on supporting the custom <haskell> tag upstream: https://gerrit.wikimedia.org/r/#/c/333798/

[gbaz]

The latest reskin was done after we licensed everything under the simple permissive license: https://wiki.haskell.org/HaskellWiki:Copyrights

So it would be legit to toss any compat license on it (which should be any?) and put it in a repo.

[mignon-p]

I created a new repository, ppelleti/hawiki, with the Hawiki skin. I just copied it from the /home/web/wikidata/skin directory on the server. I added a LICENSE file containing the text from HaskellWiki:Copyrights.

[legoktm]

As an update, @mary-kate (a MediaWiki skin developer and awesome person) has updated and modernized the skin: https://github.com/mary-kate/hawiki

[mignon-p]

Awesome! Thanks so much, @mary-kate!

[mignon-p]

Is the updated skin compatible with MediaWiki 1.19 (so I can upgrade the skin first and then later upgrade MediaWiki) or does the updated skin require that MediaWiki be upgraded at the same time?

[mary-kate]

@ppelleti Alas, I developed it with the latest stable version of MediaWiki (which at the time was and still is 1.28, see the "release notes" page on MediaWiki.org for more info), so nope, it requires a more modern version of MediaWiki (I believe 1.25 or newer, but I strongly suggest 1.28 instead since it's the latest stable version). The main reason for this is that the updated skin has only a skin.json file and no PHP-based setup file at all, but I'm quite sure that some of the other techniques used there require MediaWiki core functions which are present only in more recent versions of MW.

[mignon-p]

OK, thanks! I'll just have to upgrade everything at once, then.

@gbaz, can we spin up a new VM so I can practice the upgrade without endangering the existing wiki?

[gbaz]

@ppelleti what ever happened with this?

[mignon-p]

Yeah, sorry, I've just felt a bit stuck on this one. I'm not confident enough in my ability to perform the upgrade without practicing it first. If we could clone the VM, then I'd have something to practice on.

[gbaz]

This is just moving some new image and php files in place of old ones right?

So we could just revert them back if anything went wrong?

[mignon-p]

It's a little more involved than that. We have to upgrade to a newer version of MySQL. And then the MediaWiki upgrade process itself will upgrade the database schema. And at least in our installation, the various files that MediaWiki uses are scattered around in several places in the filesystem.

But in theory, yes, if we back everything up, we can restore it from backup. Of course, that means the wiki would be unavailable during that time.

It makes me nervous, but if you think this is the best way to proceed, I can give it a try.

[gbaz]

Ah I see. This is the whole install not just the skin... I agree a little caution is in order then...

On Sun, Nov 5, 2017 at 1:57 AM Patrick Pelletier notifications@github.com wrote:

It's a little more involved than that. We have to upgrade to a newer version of MySQL. And then the MediaWiki upgrade process itself will upgrade the database schema. And at least in our installation, the various files that MediaWiki uses are scattered around in several places in the filesystem.

But in theory, yes, if we back everything up, we can restore it from backup. Of course, that means the wiki would be unavailable during that time.

It makes me nervous, but if you think this is the best way to proceed, I can give it a try.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ppelleti/haskell-wiki-bugs/issues/7#issuecomment-341951109, or mute the thread https://github.com/notifications/unsubscribe-auth/ABEt2TI9KNG9_67eauJN-uYjwvMAReipks5szU5egaJpZM4Lquj8 .

[mignon-p]

Right, the new skin that mary-kate created is only compatible with the newer MediaWiki, so we have to upgrade both MediaWiki and the skin at the same time.

[gbaz]

@ppelleti ok what do you need from a new vm? just a raw ubuntu install?

[mignon-p]

No, I'd been imagining a clone of the existing www-origin VM. Is that possible?

[gbaz]

(just a note for others that we have such a clone and slow progress is underway on testing the migration)

[hgolden]

Hi, I am starting to learn about MediaWiki and the hawiki instance. I hope to be able to help once I get up to speed.

[hgolden]

@ppelleti @gbaz @legoktm : In looking at available supported MW versions, I believe we should update to either 1.27.4 LTS (end of life 2019-06-30), 1.30.x (EOL 2018-12-31) or 1.31.x (EOL 2021-06-30).

Questions: Is it too soon to update to 1.31.x? Note: It requires at least PHP 7.0. Would this be a problem to install a PHP 7 version? Note: PHP 5.6 EOL is 2018-12-31. PHP 7.0 has 2018-12-03 EOL. PHP 7.1 has 2019-12-01. PHP 7.2 has 2020-11-30.

Another issue is the current nginx version (1.10.1) which has known CVEs.

My personal preference is to go with MW 1.31.x, PHP 7.2 and nginx 1.14.0, but I will implement what the Haskell Infrastructure team prefers.

[gbaz]

My impulse if I were doing it is to go with whatever is easily available upstream, for ease of use and support. However, if you can pull of a test upgrade to the latest of everything without too much hassle, then I certainly won't stand in your way :-)

[hgolden]

There's a test server at 147.75.67.13 that's running MW 1.27.4 LTS with a recent version of the wiki. Please take a look and send your comments and suggestions. Note: I can't find some icons (Rss16.png and MHvNV.png). Please let me know if you know a source for them.

[hgolden]

I found the icons mentioned in my earlier message. I fixed the home page markup to display them properly in the test server. The [Edit] button for each section is still too big and it needs to be right justified. I'll work on this tomorrow.

[hgolden]

The MediaWiki version has been upgraded to 1.27.4 LTS. It is currently in support, though we need to update in the next few months to 1.31.x LTS to remain in support.