Full steam ahead on Visual Editor, the avoidance of lock-breaking and 1.18b1 release

October Engineering Report published

The Wikimedia Foundation's Engineering Report for October was published last week on the Wikimedia Techblog and on the MediaWiki wiki, giving an overview of all Foundation-sponsored technical operations in that month. Many of the projects mentioned have been covered in The Signpost, including the New Orleans hackathon, the introduction of native https support for all Wikimedia wikis, and the local deployment of MediaWiki 1.18. Also included among the headlines on the report were the deployment of the Translate extension to Meta-Wiki and the completion of the first revision of the MediaWiki architecture document.

As described in brief in last week's "Technology report", progress is being made on a new parser and visual editor combination. The official engineering report documented exactly where that progress was coming from, with at least six developers (Trevor Parscal, Inez Korczynski, Roan Kattouw, Neil Kandalgaonkar, Brion Vibber and Gabriel Wicke, who only joined the team recently) each working on different elements of it concurrently.

Progress in other areas was more restrained but still being made; for example, developer Andrew Garrett worked on a script to convert existing LiquidThreads installations to the new, revised schema. Likewise, the "last critical bugs" in version 0.9 of WMF-supported offline reader Kiwix were fixed, with the release candidate cycle expected to begin shortly. There was also some bad news in the report, however, as it described how data analyst Erik Zachte had discovered inconsistencies in his report card numbers, which were investigated and attributed to packet loss of up to 25%, rendering several figures unreliable.

Scheduled for November are substantive work on the Git conversion and https support on the mobile platform to mirror that available on the non-mobile site.

User script writers grapple with protocol-relative URLs

With the switchover to native https slowly fading into history, the baton for ensuring total security has been passed on to script writers. This is because, although all interface images were switched over to using protocol-relative URLs, many user scripts will also have to be updated to use the new format.

Forcing use of insecure images or dependency scripts negates much of the benefit of using a secure site; as a consequence, browsers are right to show warnings, Ryan Lane explained. And as Brion Vibber described, the warnings are often very obvious: "Firefox can throw up a scary dialog box on every page view... Chrome does the big scary X-ing out of the 'https'... IE in latest versions just ignores any of the content that came over HTTP unless you opt back into it by clicking on a little bar at the bottom of the window" (Words and what not blog).

And so, with increasing numbers of users expected to switch to using the https version of the site, more and more script developers have been working to clear up any warnings; nonetheless, help will be needed within smaller sites to fix code copied and pasted from larger wikis months or even years before the https support went native.

In brief

Not all fixes may have gone live to WMF sites at the time of writing; some may not be scheduled to go live for many weeks.

How you can help

Help track down old developers

As developer Chad Horohoe explained on the wikitech-l mailing list, the conversion from SVN to Git requires that names and email addresses be input for all contributors to the project. Since SVN had no such requirement, help is needed to pair up the correct names and email addresses with old developer pseudonyms (help now).

• 1.18 beta 1 released: following the successful deployment of MediaWiki 1.18 to Wikimedia wikis earlier this month (Signpost coverage), the first "tarball" version of the software has been released (wikitech-l mailing list). Although tarball releases enabled non-Wikimedia wikis to utilise MediaWiki's latest features, the advice for this beta version is to avoid "run[ning] it on any wikis that you really care about". The release is the first to come packaged with extensions, which enables a cleaner "straight out of the box" experience.
• CAPTCHA vulnerabilities exposed: Several publications, among them PC World and CRN.com, picked up on a recent report of efforts by researchers at Stanford University to break the CAPTCHA security measures which form part of major websites' protection against spamming. One in four attempts at cracking Wikipedia's CAPTCHA defences were successful, compared with 43% for eBay, 20% for Digg, 16% for CNN.com and 5% for Baidu. Only Google and reCAPTCHA were invulnerable to infiltration attempts, in an experiment which may raise eyebrows among WMF developers keen to prevent abuse of Wikimedia wikis. Nonetheless, Wikimedians can no doubt take pride in the fact that obvious spamming of the sort orchestrated by bots and normally prevented by CAPTCHAs is, in any case, unlikely to go unnoticed for long.
• Data analytics staffing explained, hiring: Director of Platform Engineering Rob Lanphier this week posted a description of the WMF's data analytics team on the Wikimedia blog. Lanphier explained that the team is responsible for "building out our logging and data mining infrastructure, and for making Wikimedia-related statistics useful to other parts of the Foundation and the movement". He added that it was "hiring for two full-time analytics positions right now, plus a contract opportunity".
• Puppet, LDAP, autofs, and Nova: Ryan Lane, Operations Engineer at the WMF, used two posts on his personal blog to explore the work he has recently been doing for the Foundation. Both "Sharing home directories to instances within a project using puppet, LDAP, autofs, and Nova" and "A process for puppetization of a service using Nova" were targetted at sharing best practice among those responsible for the performance of large websites; in related news, this week's Engineering report highlighted how the WMF were working with the JuJu project to enable the sharing of DevOps practices.
• SMWCon presentation videos available: According to a post on the Semantic MediaWiki website, videos of talks and presentations from SMWCon Fall 2011 have been uploaded to YouTube. The conference had been held on September 21–23 in Berlin, Germany, with approximately forty attendees.

← Previous "Technology report"

Next "Technology report" →

In this issue

7 November 2011

Special report

News and notes

In the news

Discussion report

WikiProject report

Featured content

Arbitration report

Technology report

+ Add a comment

Discuss this story

These comments are automatically transcluded from this article's talk page. To follow comments, add the page to your watchlist. If your comment has not appeared here, you can try purging the cache.

• So does this mean the various issues with https support are being dealt with? Also, it would be convenient if https links to wikimedia pages (e.g., for a link to a specific article revision) within edits would automatically be translated back into ordinary http links, so other users get whatever they prefer (http or https). Edit: Oh, I see, https can be used for the same URL paths that http uses now – this should have been mentioned in the article. Nageh (talk) 17:18, 11 November 2011 (UTC)[reply]

Yes, you can just change http to https in the URL now, a fact only dropped from this article on the grounds it has appeared on all previous occasions the switchover has been mentioned. As you say, though, they is no automated switching based on user preference at the moment - so someone else can still link you to the "wrong" version. - Jarry1250 ^{[Weasel? Discuss.]} 17:48, 11 November 2011 (UTC)[reply]

Right, but it's actually already possible to use protocol-relative URLs in wikitext, which provide automatic switching, i.e. will point to HTTPS or HTTP depending on what the reader is using:

[//en.wikipedia.org/wiki/Wikipedia:Wikipedia_Signpost/2011-11-07/Technology_report] (results in [1])

Regards, HaeB (talk) 18:19, 11 November 2011 (UTC)[reply]

An email petitioner asked if we could change Signpost links to https; I wasn't sure if this would mess things up for people being logged-out etc. Would it be possible to accommodate both constituencies? Skomorokh 18:32, 11 November 2011 (UTC)[reply]

You mean the links in the mailing list email we send out? - Jarry1250 ^{[Weasel? Discuss.]} 23:40, 11 November 2011 (UTC)[reply]

Yup (blog, twitter etc. too I suppose). Skomorokh 13:47, 12 November 2011 (UTC)[reply]

Well, the problem there is that we need a defined entry point. "//" just means "stay on the same protocol as you were before" which isn't great when you're linking from offsite (and most browsers won't even observe it cross-domain anyhow). (Plus a // link isn't recognised as a link by lots of email clients.) - Jarry1250 ^{[Weasel? Discuss.]} 17:35, 13 November 2011 (UTC)[reply]