Graphs extension

[FelinaLavandula]

Graphs extension has been disabled since April 18. You get a notice where graphs used to be that links to a now non-existent (archived) thread at the village pump (technical). That thread says it was disabled due to security issues. I went to the Meta page for the extension and it has a big fat security notice at the top but I couldn’t see any other new info. Does anyone know more about this or does it not matter/no one cares? I mean, it’s not like I’m desperate to get graphs back (the opposite really), but I’m wondering if there’s some context I’m missing here.
Edit: And I’m nosy.

[Hemiauchenia]

I'm not sure how that information is a security risk, given the exact same information is available via https://pageviews.wmcloud.org/ . The only exception I've found so far is the n-word, which for some reason stopped being tracked in early April, though the archived pageview data prior to that is still there. link

[Giraffe Stapler]

Graphs extension has been disabled since April 18. You get a notice where graphs used to be that links to a now non-existent (archived) thread at the village pump (technical). That thread says it was disabled due to security issues. I went to the Meta page for the extension and it has a big fat security notice at the top but I couldn’t see any other new info. Does anyone know more about this or does it not matter/no one cares? I mean, it’s not like I’m desperate to get graphs back (the opposite really), but I’m wondering if there’s some context I’m missing here.
Edit: And I’m nosy.

Here ya go - Mailing list message and vulnerability details.

[Anroth]

Hmm well it's only been a month, script injection exploits can be tricky if it's something non standard. Surprised there has been no update though. They should at least have a grasp of the problem and a timeline for a fix by now.

[No Ledge]

Hmm well it's only been a month, script injection exploits can be tricky if it's something non standard. Surprised there has been no update though. They should at least have a grasp of the problem and a timeline for a fix by now.

They spent too much on severance packages for departed short-term executives, so nothing left over for hiring competent software engineers. Besides, why bother with that when you have "volunteers" working on the software.

[Giraffe Stapler]

Hmm well it's only been a month, script injection exploits can be tricky if it's something non standard. Surprised there has been no update though. They should at least have a grasp of the problem and a timeline for a fix by now.

It's only been a month for this vulnerability. Very similar ones were reported in 2020. The WMF was using code that was released in 2015/2016. The Vega project seems to have been regularly updated since then, but the WMF never bothered to update what they were using. Someone would need to review the use on Wikipedia against these reports to see if these could actually be be exploited.

[tinyboxs]

The problem is that the Lua modules on the projects are themselves based on the standards used in the old version of vega. They need to make a "translation layer" to deal with this, but that's clearly above their pay grade. They've already asked the community to deal with it themselves on the extension talk page by rewriting the modules. This whole thing is silly because vega is an extremely powerful svg library and the graph extension is only used for the most basic features. This is what you get for using heavyweight libraries for things you could have used vanilla JS to implement more elegantly and with only slightly more effort.

[rainbow_owl]

It's really insane how something as important as graphs (important for an encyclopedia) can go unfixed for such a long time. It causes a huge loss of information as people stop adding information as a result. At the same time it seems to me no path to a solution has been made official and agreed on. It seems to me they should be raising donations to fix because it seems difficult and expensive to fix. But I have not seen them asking for money either.

[AndyTheGrump]

It's really insane how something as important as graphs (important for an encyclopedia) can go unfixed for such a long time. It causes a huge loss of information as people stop adding information as a result. At the same time it seems to me no path to a solution has been made official and agreed on. It seems to me they should be raising donations to fix because it seems difficult and expensive to fix. But I have not seen them asking for money either.

Firstly,


As for 'asking for money', that hasn't been an issue for the WMF for a very long time. They are rolling in it. What they lack is the ability to make use of it for the purposes intended (i.e. keeping the servers running, and providing software support), rather than for whatever fixing-the-world scheme or boondoggle they think of next.

[rnu]

About the Vega Project

While Vega is useful in its own right (for example, Vega is deployed on Wikipedia to define visualizations directly within wiki pages), our primary motivation is for Vega to serve as a foundation for higher-level tools.

Should someone tell them?