Page MenuHomePhorge

golyalpha (Radek Goláň)
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Oct 27 2021, 11:50 (30 w, 3 d)
Availability
Available

Recent Activity

Yesterday

golyalpha added a comment to T15094: Catch up the master branch to upstream.

To be fair, I wouldn't discount already needing access as a viable attack vector, even on private installations.

Sat, May 28, 06:38 · Trusted Contributors, Phorge
golyalpha added a comment to T15094: Catch up the master branch to upstream.

The disclosed issue is that someone can gain access to Files objects they don't have access to by, for example, getting someone with permissions to edit a task they wrote (by including a reference to that file which gets "activated" when the person with permissions to view it saves the edit), which makes the file accessible via the task description.

Sat, May 28, 06:19 · Trusted Contributors, Phorge
golyalpha added a comment to T15094: Catch up the master branch to upstream.

Upstream-T13683

IMPORTANT: This release mitigates a severe security issue which allows attackers with few permission to gain access to files they can not otherwise see. All installs are strongly advised to upgrade.
Sat, May 28, 05:10 · Trusted Contributors, Phorge

Sat, May 21

golyalpha added a comment to T15094: Catch up the master branch to upstream.
In T15094#2292, @speck wrote:

I did not think we had Harbormaster set up to run unit tests - I think that involves configuring both Harbormaster and Drydock, and possibly Almanac which I don't think anyone has done.

I'll go back and review those Harbormaster file changes. Thanks for pointing that out!

Sat, May 21, 16:40 · Trusted Contributors, Phorge
golyalpha added a comment to T15094: Catch up the master branch to upstream.
In T15094#2281, @dcog wrote:

This would be a legitimately good exercise to try and do "properly"... although, the thought of not doing it optimally can be a bit of a barrier to starting..

Given the edge cases outlined in T15094#2279, would there be cases in step 2 (or 1?) from T15094#2259 that might benefit from Git cherry-picking? @golyalpha, any thoughts on that? I nearly never have to use cherry-picking, or maybe I should, but either way I'm not very familiar with it other than I'm wondering if it may be relevant

After some reading I'm finding that, as far as I can tell, it's not designed to pick/integrate *specific lines* from a diff, but rather a specific whole commit (from any local or remote branch most likely).. if I'm understanding it correctly

But, perhaps, it could still have the same effect as removing lines from one, and keeping lines from the other when grabbing specific whole commits

The more I think about this the more I'm confusing myself, but hopefully some fraction of this makes sense

Sat, May 21, 16:37 · Trusted Contributors, Phorge

Thu, May 12

golyalpha added a comment to T15094: Catch up the master branch to upstream.

If we merge, a force-push should not be required - unless you mean something other than standard git merge here.

Thu, May 12, 06:19 · Trusted Contributors, Phorge

Apr 16 2022

golyalpha added a comment to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation.

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.

Apr 16 2022, 04:58 · Phorge General/Unknown, Restricted Project

Apr 15 2022

golyalpha added a comment to T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation.

ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too

Apr 15 2022, 19:38 · Phorge General/Unknown, Restricted Project

Apr 4 2022

golyalpha added a comment to T15059: Phabricator doesn't email @outlook.com addresses.

Alright, I've just went through a similar process - they apparently have changed their process a little but there still is a form to fill out: https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3 (you need a Microsoft Account to fill it out, but they'll contact you on the contact email you give in the form)

Apr 4 2022, 10:06 · Phorge
golyalpha closed T15087: [removed] as Invalid.

Obviously spam.

Apr 4 2022, 09:58

Apr 3 2022

golyalpha created T15086: Support Inbound Mail over IMAP.
Apr 3 2022, 18:17 · Mail

Apr 1 2022

golyalpha added a comment to T15082: Consider allowing milestone columns to be ordered arbitrarily on workboards.

Reordering milestones is convenient when you want to treat milestones as workflow steps rather than sequential numerical versions.

Apr 1 2022, 05:40 · Projects

Mar 29 2022

golyalpha added a comment to T15077: Rebrand: Tracking task.

Since all changes are going to be submitted to the upstream prior to landing here in Phorge it would be easiest if changes were made to a clone of Phabricator and not a clone of Phorge.

Mar 29 2022, 07:26 · Phorge
golyalpha added a comment to T15082: Consider allowing milestone columns to be ordered arbitrarily on workboards.

epriestley was very much against this idea but wikimedia's users loved it.

Mar 29 2022, 07:16 · Projects

Mar 25 2022

golyalpha updated the task description for T15080: Intermittent DNS issues when attempting to visit we.phorge.it.
Mar 25 2022, 11:52 · Phorge Upstream
golyalpha added a comment to T15080: Intermittent DNS issues when attempting to visit we.phorge.it.
In T15080#1970, @speck wrote:

Unfortunately this type of issue is in an area that's beyond my network/configuration experience. Is CloudFlare our NS provider?

Mar 25 2022, 09:21 · Phorge Upstream
golyalpha added a comment to T15078: Support for hardware keys as second factor.

What you're talking about is more like mTLS (mutual TLS), that's not actually how WebAuthn works. (Though supporting mTLS for sign-ins might also be something worth looking into)

Mar 25 2022, 09:19 · Auth

Mar 24 2022

golyalpha added a comment to T15078: Support for hardware keys as second factor.

We should definitely focus on implementing WebAuthn, as that allows us to support almost every standard hardware key solution out there.

Mar 24 2022, 18:35 · Auth
golyalpha created T15080: Intermittent DNS issues when attempting to visit we.phorge.it.
Mar 24 2022, 18:19 · Phorge Upstream

Mar 23 2022

golyalpha created T15078: Support for hardware keys as second factor.
Mar 23 2022, 16:50 · Auth

Mar 22 2022

golyalpha updated the task description for T15077: Rebrand: Tracking task.
Mar 22 2022, 12:39 · Phorge

Mar 21 2022

golyalpha added a comment to T15069: Disable spammers.

Another one popped up: https://we.phorge.it/p/seo-auckland/

Mar 21 2022, 15:59 · Upstream General/Unknown

Mar 17 2022

golyalpha updated the task description for T15071: Setup recurring Core meeting.
Mar 17 2022, 16:59 · Governance

Mar 16 2022

golyalpha added a comment to T15059: Phabricator doesn't email @outlook.com addresses.

I had experience with emails from my self-hosted mailserver not reaching Microsoft-hosted mailboxes. As far as I remember, their SMTP replies to "suspicious" mail servers with a message that includes a link to some sort of a form which the mail admin should fill out. That worked for me - might need to dig through the server logs to see the link though.

Mar 16 2022, 11:17 · Phorge
golyalpha added a comment to T15072: Update Python-related linters for modern workflows.

Might be worth it having the linter classes inherit from a language-specific class that would handle things like environment initialization and dependency installation.

Mar 16 2022, 10:03 · Arcanist

Mar 15 2022

golyalpha added a comment to T15072: Update Python-related linters for modern workflows.

Checking the source in Arcanist repo, it seems like none of the python linters are actually configured to use an interpreter. (If I attempt to specify one for Pylint anyway, it fails with Got unexpected parameters: interpreter)

Mar 15 2022, 08:59 · Arcanist

Mar 13 2022

golyalpha added a comment to T15072: Update Python-related linters for modern workflows.

Right now,arc lint doesn't really allow for the activation of a virtual env. That's okay when I'm just running arc lint locally, because I can just activate the environment myself and run it in that environment.

Mar 13 2022, 16:16 · Arcanist

Mar 12 2022

golyalpha created T15072: Update Python-related linters for modern workflows.
Mar 12 2022, 09:05 · Arcanist

Dec 9 2021

golyalpha added a comment to T15058: Improve page layout for mobile devices.

Hmm, yeah, looks to be something with how Firefox renders sites... Can confirm that reload fixes the layout.

Dec 9 2021, 12:50
golyalpha added a comment to T15060: Better Pirate English.

Well, there are inconsistencies. For example, subscribers are called "spies" in the task overview, but "subscribers" in the task history, and "spies" again in task actions.

Dec 9 2021, 12:44 · Localization, Phorge

Dec 5 2021

golyalpha added a comment to T15058: Improve page layout for mobile devices.

It's a 720x1440 device, which is on the low end of screen resolutions nowadays.

Dec 5 2021, 13:56

Nov 1 2021

golyalpha created T15060: Better Pirate English.
Nov 1 2021, 19:56 · Localization, Phorge

Oct 29 2021

golyalpha added a comment to T15033: Add option for GDPR Warning Suggestion.

@golyalpha As my current employer is one of the largish companies, (50,000+ international employees), but not primarily software focused we have all been given GDPR awareness training but do not have a general, all employees, GDPR statement available nor a standard text or set of texts to use.
When I was deploying a Phabricator instance I actually had to come up with the wording myself and then get it approved by the legal & compliance team - my biggest hurdle was convincing them of the required data retention period - they were much more used to systems such as payroll & HR where records are only retained for a fixed number of years after the period of employment as demanded by things like the local tax regulations and the idea that due to legal liability, etc., we needed to retain the information for the full life of the product being developed and possibly beyond if components were reused.

Oct 29 2021, 08:04 · Phorge
golyalpha added a comment to T15033: Add option for GDPR Warning Suggestion.

I18n is also fairly important from the point of view that citizens in certain jurisdictions are basically legally immune against documents written in a language different from the official language of their jurisdiction, so, +1 on that.

Oct 29 2021, 05:30 · Phorge
golyalpha added a comment to T15033: Add option for GDPR Warning Suggestion.

Yes, that's why I'm saying "yeah, great idea, let's do this, but let's also create a config toggle so that it can be disabled for people and orgs who don't need it".

Oct 29 2021, 05:20 · Phorge

Oct 28 2021

golyalpha added a comment to T15033: Add option for GDPR Warning Suggestion.

Yes, the GDPR notice must inform about each and every purpose specifically. But it must do so only once - that can be at sign up.

Oct 28 2021, 06:11 · Phorge

Oct 27 2021

golyalpha updated the task description for T15058: Improve page layout for mobile devices.
Oct 27 2021, 18:41
golyalpha added a comment to T15058: Improve page layout for mobile devices.

It's not just visual - I'm actually unable to open the individual tasks.

Oct 27 2021, 18:41
golyalpha created T15058: Improve page layout for mobile devices.
Oct 27 2021, 18:38
golyalpha updated the task description for T15057: Kubernetes support in Almanac/Drydock/Harbormaster.
Oct 27 2021, 16:54 · Almanac, Drydock, Harbormaster
golyalpha created T15057: Kubernetes support in Almanac/Drydock/Harbormaster.
Oct 27 2021, 15:40 · Almanac, Drydock, Harbormaster
golyalpha added a comment to T15051: default.pem in Arcanist is out of date.

+1 to removing default.pem
/shrug on keeping custom.pem

Oct 27 2021, 13:50 · Arcanist
golyalpha added a comment to T15051: default.pem in Arcanist is out of date.

What was the original rationale behind shipping a certificate bundle with Arcanist? It may be better to rely on the system certificate bundle instead (that also tends to have certificates from, for example, internal company issuers as well).

Oct 27 2021, 13:15 · Arcanist
golyalpha updated golyalpha.
Oct 27 2021, 12:50
golyalpha added a comment to T15056: Work on Dark Mode.

A perfect example of "hard to see" things in dark mode

Oct 27 2021, 12:46
golyalpha added a comment to T15033: Add option for GDPR Warning Suggestion.

Definitely a good idea for anyone who wants to run Phorge in EU/UK or work with EU/UK contributors. Though it really is only necessary for the signup page - individual repositories really only have to worry about CLAs (if relevant).

Oct 27 2021, 12:32 · Phorge
golyalpha awarded T15033: Add option for GDPR Warning Suggestion a Love token.
Oct 27 2021, 12:14 · Phorge