It looks like upstream has issued a number of updates which we'll want to pull in. From {E4} we discussed doing the following:

Set up two blogs: Security Announcements and a Release Announcements.

In T15096#2233, @speck wrote:

Thank you for these write-ups, I'll need more time to review however I noticed Evan recently started a task in the upstream where it looks like he's investigating compiling PHP to a library for use with a custom native entrypoint which would allow distributing arcanist as a single binary (he estimates ~10mb in size).
https://secure.phabricator.com/T13675

In T15048#2214, @20after4 wrote:

Does anyone else feel that this is not a good idea? Seems like the consensus here is that it's at least acceptable if not desirable to have.

Thank you for these write-ups, I'll need more time to review however I noticed Evan recently started a task in the upstream where it looks like he's investigating compiling PHP to a library for use with a custom native entrypoint which would allow distributing arcanist as a single binary (he estimates ~10mb in size).
https://secure.phabricator.com/T13675

Evan recently landed a boatload of changes to address this under https://secure.phabricator.com/T13658

Definitely agree that the effort to set up arcanist isn't huge. And at my current work, it's baked into our common Dev PC setup, so it's almost zero effort. But there is an effort, and a dev/user who is just passing by to fix a typo or suggest a one-line change in some code isn't going to be willing to do that effort.

This seems sensible to me, FWIW

@micax: Good points and it's helpful to hear another perspective on this. From my past experience using Phabricator on a corporate team I definitely think that arcanist helped keep everyone's workflow consistent and simple.

I find this rather interesting (and a little bit weird, to some extent), because IMO the arcanist command line tool is one of the things which IMO _add_ value to Phabricator and sets it apart from it's alternatives.

Fix line length

celerity map

Does anyone else feel that this is not a good idea? Seems like the consensus here is that it's at least acceptable if not desirable to have.

I did a bit of digging through the source code and it looks like tokens are implemented in an incredibly generic way, such that it wouldn't be at all difficult to add tokens to comments. I think the hardest part will be integrating it with the UI.

In T15090#2141, @avivey wrote:

In T15090#2123, @Matthew wrote:

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

Yes, probably. "Announcements"-style thing

@speck Would it be totally unreasonable to instead do:

As of right now, we have made no changes to the database and other "internals" - our work has been focused on rebranding as "Phabricator" is a trademarked name. For this reason, a rough migration path would be to check out the master branch of rP, copy the config directory from Phabricator to Phorge, and then point Phorge to your Phabricator database. I have tested it myself locally and it appears to work, however; if you have any issues feel free to ask a question on Ponder here and we can get back to you!

translations,The rebranding approach of changing the pht() keys will invalidate a lot of existing translations. Investigate if there are ways to avoid this.

We are now at a decision point where we either install Phorge from Scratch or migrate Phabricator to Phorge.

There is quite a bit of text that is setup like this:

pht(
  'blah blah blah %s blah blah'.
  'blah blah Phabricator blah %s'.
  'blah blah.',
  $var1,
  $var2);

Created {D25036}

This is a direct result of T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation - confirmed in the Nginx error logs:

STDERR
fatal: unsafe repository ('/var/repo/1' is owned by someone else)
To add an exception for this directory, call:

As I started to thinking about the script to process the pht() files, it hit me that converting something something like:

FYI, it seemed that the issue with the wiki preview loading may be been related to tagging names... if the tags are removed, the preview loads

Nice one, thanks @Matthew!

Hmm, possibly depending on how it's hosted? What I saw when that CVE was announced on a local instance and on secure. was like the below screenshot, where the repo page was still visible but file structure and recent commits were b0rked:

Related to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation perhaps? Revisions are stored in the database that's why they're viewable, but the main repository page requires a call to git.

@dtf I've added you to the Trusted Contributors project, so you should be able to edit the page now.

(I am unable to edit the document directly, would someone with the right permissions mind adding this to the agenda please?)

In T15090#2123, @Matthew wrote:

That's intentional (upstream) because it's very hard to make any actual attack with this information can't be made without it.

Note: reporter exploited without permission

In T15090#2127, @Matthew wrote:

In T15090#2126, @golyalpha wrote:

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.

In T15090#2126, @golyalpha wrote:

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too

We need to cherry-pick and import the changes Evan made into the Phorge repository as well...

err, I was trying to put it out as a Security PSA, so I clicked "Create security task" which I guess is the opposite of a PSA...