In T15096#2233, @speck wrote:Thank you for these write-ups, I'll need more time to review however I noticed Evan recently started a task in the upstream where it looks like he's investigating compiling PHP to a library for use with a custom native entrypoint which would allow distributing arcanist as a single binary (he estimates ~10mb in size).
https://secure.phabricator.com/T13675
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
May 3 2022
May 3 2022
May 2 2022
May 2 2022
May 1 2022
May 1 2022
20after4 added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
20after4 updated the task description for T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
Apr 30 2022
Apr 30 2022
In T15048#2214, @20after4 wrote:Does anyone else feel that this is not a good idea? Seems like the consensus here is that it's at least acceptable if not desirable to have.
Apr 28 2022
Apr 28 2022
speck added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
Thank you for these write-ups, I'll need more time to review however I noticed Evan recently started a task in the upstream where it looks like he's investigating compiling PHP to a library for use with a custom native entrypoint which would allow distributing arcanist as a single binary (he estimates ~10mb in size).
https://secure.phabricator.com/T13675
Evan recently landed a boatload of changes to address this under https://secure.phabricator.com/T13658
micax added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
Definitely agree that the effort to set up arcanist isn't huge. And at my current work, it's baked into our common Dev PC setup, so it's almost zero effort. But there is an effort, and a dev/user who is just passing by to fix a typo or suggest a one-line change in some code isn't going to be willing to do that effort.
Apr 27 2022
Apr 27 2022
This seems sensible to me, FWIW
20after4 added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
@micax: Good points and it's helpful to hear another perspective on this. From my past experience using Phabricator on a corporate team I definitely think that arcanist helped keep everyone's workflow consistent and simple.
micax added a comment to T15096: Discuss Arcanist as a barrier to adoption of Phorge and how to address the underlying issues..
I find this rather interesting (and a little bit weird, to some extent), because IMO the arcanist command line tool is one of the things which IMO _add_ value to Phabricator and sets it apart from it's alternatives.
Apr 25 2022
Apr 25 2022
Apr 24 2022
Apr 24 2022
20after4 awarded D25034: support language highlighting for GFM-style code blocks a Mountain of Wealth token.
20after4 updated the diff for D25038: Conduit column.search: add status, sequence and isDefault to API results.
Fix line length
20after4 retitled D25038: Conduit column.search: add status, sequence and isDefault to API results from Add column sequence to the conduit api results for column.search to Add Status, sequence and isDefault to the conduit api results for column.search.
20after4 updated the diff for D25038: Conduit column.search: add status, sequence and isDefault to API results.
celerity map
20after4 requested review of D25038: Conduit column.search: add status, sequence and isDefault to API results.
Does anyone else feel that this is not a good idea? Seems like the consensus here is that it's at least acceptable if not desirable to have.
I did a bit of digging through the source code and it looks like tokens are implemented in an incredibly generic way, such that it wouldn't be at all difficult to add tokens to comments. I think the hardest part will be integrating it with the UI.
In T15090#2141, @avivey wrote:In T15090#2123, @Matthew wrote:@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.
Yes, probably. "Announcements"-style thing
Apr 22 2022
Apr 22 2022
@speck Would it be totally unreasonable to instead do:
Apr 20 2022
Apr 20 2022
As of right now, we have made no changes to the database and other "internals" - our work has been focused on rebranding as "Phabricator" is a trademarked name. For this reason, a rough migration path would be to check out the master branch of rP, copy the config directory from Phabricator to Phorge, and then point Phorge to your Phabricator database. I have tested it myself locally and it appears to work, however; if you have any issues feel free to ask a question on Ponder here and we can get back to you!
translations,The rebranding approach of changing the pht() keys will invalidate a lot of existing translations. Investigate if there are ways to avoid this.
We are now at a decision point where we either install Phorge from Scratch or migrate Phabricator to Phorge.
There is quite a bit of text that is setup like this:
pht( 'blah blah blah %s blah blah'. 'blah blah Phabricator blah %s'. 'blah blah.', $var1, $var2);
Created {D25036}
Apr 19 2022
Apr 19 2022
This is a direct result of T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation - confirmed in the Nginx error logs:
STDERR fatal: unsafe repository ('/var/repo/1' is owned by someone else) To add an exception for this directory, call:
As I started to thinking about the script to process the pht() files, it hit me that converting something something like:
FYI, it seemed that the issue with the wiki preview loading may be been related to tagging names... if the tags are removed, the preview loads
Hmm, possibly depending on how it's hosted? What I saw when that CVE was announced on a local instance and on secure. was like the below screenshot, where the repo page was still visible but file structure and recent commits were b0rked:
Matthew edited projects for T15093: 502 Bad Gateway error when attempting to view repo info, added: Upstream General/Unknown; removed Diffusion (archived).
Related to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation perhaps? Revisions are stored in the database that's why they're viewable, but the main repository page requires a call to git.
@dtf I've added you to the Trusted Contributors project, so you should be able to edit the page now.
(I am unable to edit the document directly, would someone with the right permissions mind adding this to the agenda please?)
dtf added a project to T15093: 502 Bad Gateway error when attempting to view repo info: Diffusion (archived).
javier updated Q11: upgrade phabricator to phorge from upgrade phabricator to forge to upgrade phabricator to phorge.
Apr 18 2022
Apr 18 2022
In T15090#2123, @Matthew wrote:
That's intentional (upstream) because it's very hard to make any actual attack with this information can't be made without it.
Apr 17 2022
Apr 17 2022
Note: reporter exploited without permission
Apr 16 2022
Apr 16 2022
In T15090#2127, @Matthew wrote:In T15090#2126, @golyalpha wrote:apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:
I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.
Apr 15 2022
Apr 15 2022
In T15090#2126, @golyalpha wrote:apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:
ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too
Apr 14 2022
Apr 14 2022
Matthew added a project to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation: Phorge General/Unknown.
We need to cherry-pick and import the changes Evan made into the Phorge repository as well...
Apr 13 2022
Apr 13 2022
avivey shifted T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation from the Restricted Space space to the S1 Public space.
err, I was trying to put it out as a Security PSA, so I clicked "Create security task" which I guess is the opposite of a PSA...
Apr 11 2022
Apr 11 2022
I'm setting the "Moderate" policy on Ponder to Trusted Contributors and I'll add a link to Ponder from the default home page.
20after4 changed the Moderate Policy policy for application Ponder from Administrators to Trusted Contributors (Project).
20after4 awarded T15084: Discussion: Maniphest vs Ponder for user support a Mountain of Wealth token.
Apr 9 2022
Apr 9 2022
Some initial findings on Rector...
Apr 6 2022
Apr 6 2022
20after4 awarded April 5, 2022 a Mountain of Wealth token.
Apr 5 2022
Apr 5 2022
As discussed in {E2}, we might add temporary banners to Diviner to state that we are rebranding. This would allow some time for us to handle the code rebrand and address the underlying Diviner issues before we edit everything twice.
As discussed in {E2}, we will be implementing this to control spam for now. If this doesn't work, we will revisit this discussion.
In T15012#1283, @MacFan4000 wrote:I will note that also the tech docs aren’t fully generated since there should be docs for most of the phorge/phabricator classes. Also the arcanist docs aren’t generated at all.
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0