Graphs extension
- FelinaLavandula
- Regular
- Posts: 403
- kołdry
- Joined: Mon Nov 22, 2021 5:22 pm
- Nom de plume: Arugula
- Location: Canada
Graphs extension
Graphs extension has been disabled since April 18. You get a notice where graphs used to be that links to a now non-existent (archived) thread at the village pump (technical). That thread says it was disabled due to security issues. I went to the Meta page for the extension and it has a big fat security notice at the top but I couldn’t see any other new info. Does anyone know more about this or does it not matter/no one cares? I mean, it’s not like I’m desperate to get graphs back (the opposite really), but I’m wondering if there’s some context I’m missing here.
Edit: And I’m nosy.
Edit: And I’m nosy.
- Hemiauchenia
- Habitué
- Posts: 1049
- Joined: Sun Mar 21, 2021 2:00 am
- Wikipedia User: Hemiauchenia
Re: Graphs extension
I'm not sure how that information is a security risk, given the exact same information is available via https://pageviews.wmcloud.org/ . The only exception I've found so far is the n-word, which for some reason stopped being tracked in early April, though the archived pageview data prior to that is still there. link
- Giraffe Stapler
- Habitué
- Posts: 3158
- Joined: Thu May 02, 2019 5:13 pm
Re: Graphs extension
Here ya go - Mailing list message and vulnerability details.FelinaLavandula wrote: ↑Sun May 28, 2023 3:30 amGraphs extension has been disabled since April 18. You get a notice where graphs used to be that links to a now non-existent (archived) thread at the village pump (technical). That thread says it was disabled due to security issues. I went to the Meta page for the extension and it has a big fat security notice at the top but I couldn’t see any other new info. Does anyone know more about this or does it not matter/no one cares? I mean, it’s not like I’m desperate to get graphs back (the opposite really), but I’m wondering if there’s some context I’m missing here.
Edit: And I’m nosy.
Re: Graphs extension
Hmm well it's only been a month, script injection exploits can be tricky if it's something non standard. Surprised there has been no update though. They should at least have a grasp of the problem and a timeline for a fix by now.
Re: Graphs extension
They spent too much on severance packages for departed short-term executives, so nothing left over for hiring competent software engineers. Besides, why bother with that when you have "volunteers" working on the software.
No coffee? OK, then maybe just a little appreciation for my work out here?
- Giraffe Stapler
- Habitué
- Posts: 3158
- Joined: Thu May 02, 2019 5:13 pm
Re: Graphs extension
It's only been a month for this vulnerability. Very similar ones were reported in 2020. The WMF was using code that was released in 2015/2016. The Vega project seems to have been regularly updated since then, but the WMF never bothered to update what they were using. Someone would need to review the use on Wikipedia against these reports to see if these could actually be be exploited.
Re: Graphs extension
The problem is that the Lua modules on the projects are themselves based on the standards used in the old version of vega. They need to make a "translation layer" to deal with this, but that's clearly above their pay grade. They've already asked the community to deal with it themselves on the extension talk page by rewriting the modules. This whole thing is silly because vega is an extremely powerful svg library and the graph extension is only used for the most basic features. This is what you get for using heavyweight libraries for things you could have used vanilla JS to implement more elegantly and with only slightly more effort.
kekkou yoku naku yo na, omaetesa
-
- Member
- Posts: 1
- Joined: Sat Feb 03, 2024 2:25 pm
Re: Graphs extension
It's really insane how something as important as graphs (important for an encyclopedia) can go unfixed for such a long time. It causes a huge loss of information as people stop adding information as a result. At the same time it seems to me no path to a solution has been made official and agreed on. It seems to me they should be raising donations to fix because it seems difficult and expensive to fix. But I have not seen them asking for money either.
- AndyTheGrump
- Habitué
- Posts: 3193
- Joined: Sat Aug 11, 2012 11:44 pm
- Wikipedia User: AndyTheGrump (editor/heckler)
Re: Graphs extension
Firstly,rainbow_owl wrote: ↑Sun Feb 04, 2024 12:33 pmIt's really insane how something as important as graphs (important for an encyclopedia) can go unfixed for such a long time. It causes a huge loss of information as people stop adding information as a result. At the same time it seems to me no path to a solution has been made official and agreed on. It seems to me they should be raising donations to fix because it seems difficult and expensive to fix. But I have not seen them asking for money either.
As for 'asking for money', that hasn't been an issue for the WMF for a very long time. They are rolling in it. What they lack is the ability to make use of it for the purposes intended (i.e. keeping the servers running, and providing software support), rather than for whatever fixing-the-world scheme or boondoggle they think of next.
Re: Graphs extension
About the Vega Project
Should someone tell them?While Vega is useful in its own right (for example, Vega is deployed on Wikipedia to define visualizations directly within wiki pages), our primary motivation is for Vega to serve as a foundation for higher-level tools.
"ἄνθρωπον ζητῶ" (Diogenes of Sinope)