Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to be part of the MediaWiki developer community

Published byJordan Shields Modified over 7 years ago

Similar presentations

Presentation on theme: "How to be part of the MediaWiki developer community"— Presentation transcript:

1 How to be part of the MediaWiki developer community
Ryan Lane Wikimedia Foundation Inc.

2 Focus of this talk Why to participate Where to find resources
Methods of communication How to engage the community Our philosophy How to code for Wikimedia sites This presentation is on the whys and hows of being a MediaWiki developer. We're a great community and we want you to be a part of it. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

3 Why to participate Mentor and be mentored Build a strong reputation
Have a public work record Support an awesome mission Mentor and be mentored The open source community is a great place to teach and learn. The MediaWiki community is an even greater place. Our sites are huge, and we have difficult problems. Build a strong reputation Not many people get code deployed on a top 5 site. Having your code run live on Wikipedia means it was secure, performant, and scalable enough to run there. Have a public work record Employers love this. They can go check out working examples of your code. They can see your documentation, they can see your communications too. If you don't want a public work record, that's ok too. We allow the use of psuedonyms, like we when editing our sites. Support an awesome mission When you support MediaWiki, you help support our mission to bring knowledge to every person in the world Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

4 Where to find resources
mediawiki.org wikitech.wikimedia.org Mailing list archives These slides Me, after the talk mediawiki.org This is the site we use for documentation of mediawiki. It has documentation for how to use the software as an end user, a system administrator, and as a developer wikitech.wikimedia.org This is the site we use to document the WMF architecture. This is a great site to use if you'd like to contribute to the ops team. Also, this is a great place to learn what type of architecture you'll be writing code for. Mailing list archives We have archives going back for a long time. You can use these to see how past architecture decisions were made, and find solutions to problems you may be having. These slides There are resources in the last four slides of this presentation Me, after the talk, or online I'm always willing to talk about this stuff, and love to do it. Find me online. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

5 How to engage the community
Discuss Commit Participate How to engage the community If your software is for a Wikimedia site, begin by discussing your idea on mailing lists (ideally) or IRC Submit patches to bugzilla Get commit access Submitting changes to our SVN server makes it easier for us to code review, and collaborate with you. Actively participate in code review We have a code review tool where things are marked as “fixme” or “ok”, etc. The code review tool allows us to discuss each revision, and work towards solutions to problems with commits. Actively participate in mailing list threads about your software Occasionally your software will be discussed on the lists. It is important to participate in these discussions. You can also make announcements to the lists about new releases of extensions, or upcoming changes to major pieces of code. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

6 How to engage the community
Document Communicate changes Don't be afraid of a language barrier Be an ambassador, if possible If your software is an extension, document it on mediawiki.org on an extension page If you are making core code changes, update the appropriate documentation on mediawiki.org If you are adding hooks, add them to the hooks documentation Make sure you let people know what you are changing. Communication is key! If you are working on a piece of core code, and are making major changes, it is very important to notify others, otherwise you may be breaking something they are working on, or may be changing something they are relying on. Don't be afraid of a language barrier. We have developers from all of the world, most of which english isn't their first language. We will try to always find a way to help. Recently we had a German developer in the #wikimedia channel asking for development help. I was trying my best to help, but was having problems. A german user also happened to be in the channel and helped translate for me. I was able to help the dev get through the problem they were having. Being an ambassador is a great way to contribute, even if you can't help with technical changes. You can help others make these changes by helping us with the language barrier. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

7 Our philosophy Engage early Release early, release often
Scratch your own itch Engage early Let us know how you are interested in helping, and what you are working on. This let's us help you early in the process, and will make coding way easier. Release early, release often Your code doesn't need to be totally finished to submit it. Give us your betas, your alphas, and your pre-alphas. Our appetite for code is insatiable. Check in code often, even if it isn't fully complete. This gives us the ability to review your code in increments over time, and give feedback on how it is architected. Scratch your own itch You don't have to work on something we want. If you want to improve something, do it. This is how most of our developers operate. My itch is authentication. My first contribution was the LDAP plugin, because I wanted to use MediaWiki in my organization, but I didn't want to maintain another database of usernames and passwords. Over time I've incrementally added support for every major LDAP server on every major platform. I've written support for SSL client authentication, kerberos, Web SSO, etc. None of this is used on Wikimedia sites, but the code is used in thousands of third party wikis. Since these third parties can use the software, they can also participate in the community, and may contribute changes that help WMF and others that would not have overwise been helped. Remember: your code can help the community even if you think it won't. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

8 Coding for WMF: Security
Security is important. Really. People rely on developers to write secure code, so: An insecure extension in SVN... An insecure extension on Wikipedia... No, really, it seriously is. We are able to stay sane, even with a small team because our software is secure, and we don't have to constantly battle security problems. People rely on developers to write secure code, so: Insecure extension in SVN = security risk for unwitting third-party wiki admins and their users Insecure extension on Wikipedia = security risk for 300 million users Also, third party sites are very likely to use extensions that are used on Wikimedia sites, as they are known to work well, be kept up to date, and are well known. This means you also cause even greater harm to third parties Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

9 Common vulnerabilities to avoid
SQL injection Cross site scripting (XSS) Cross site request forgery (CSRF) Register Globals These are some of the most common vulnerabilities. We regularly find them in code review, and reject code submissions because of them. In general, they are fairly easy to avoid, if you follow good programming practices. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

10 SQL injection Problem: Fix:
$sql = "INSERT INTO Students VALUES ( $name, ... );"; → INSERT INTO Students VALUES ( 'Robert' ); DROP TABLE Students; --', ... ); Fix: INSERT INTO Students VALUES ( 'Robert\'); DROP TABLE Students; - -' , ... ); Here we have code accepting arbitrary input from a user. It can lead to a vulnerability being exploited, as shown directly below the code. To fix this problem, you should escape the input. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

11 Using MediaWiki's functions
Unacceptable: $dbr->query( "SELECT * FROM foo WHERE foo_id=' $id'" ); Acceptable: $escID = $dbr->addQuotes( $id ); $dbr->query( "SELECT * FROM foo WHERE foo_id= $escID" ); Correct: $dbr->select( 'foo', '*', array( 'foo_id' => $id ) ); There are three ways to handle this. The first is the unacceptable, vulnerable way. The second is acceptable, and is what you will see commonly in other code bases. It is not the preferred method since it makes code review more difficult, as the code isn't demonstrably secure. The third way is the preferred way to handle this. It uses MediaWiki's functions to parameterize the SQL statement. It is preferred because it is demonstrably secure. It makes code review easy, since it is obvious by reading it that there will be no vulnerabilities. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

12 Cross Site Scripting (XSS)
Problem: $val = $wgRequest->getVal( 'input' ); $wgOut->addHTML( "<input type=\"text\" value=\" $val\" />" ); Fix: value="<script>evilStuff();</script>" XSS is like Sql injection, except an attacker is injecting something into the HTML output instead of into the database. This shows a method that is accepting arbitrary input, and exporting it unescaped to the user. To fix this, you should ensure the input is escaped, and the output is not allowing arbitrary content. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

13 Using MediaWiki's functions
Unacceptable: $html = "<input type=\"text\" name=\"foo\" value=\" $val\" />"; Acceptable: $val = htmlspecialchars( $val ); $html = "<input type=\"text\" name=\"foo\" value=\" $val\" />"; Correct: $html = Html::input( 'foo', $val ); Like the database handling, there are three ways to handle this. The first is unacceptable, since it has a vulnerability. The second is acceptable, but is hard to code review since it isn't demonstrably secure. The third is the preferred way to handle this, since it uses MediaWiki's built in functions that handle the escaping for you. This makes code review simpler since the code is demonstrably secure. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

14 Cross Site Request Forgery (CSRF)
Problem: <form id="myForm" method="POST" action="....."> <input type="hidden" name="title" value="Foo" /> <input type="hidden" name="action" value="delete" /> <input type="hidden" name="wpReason" value="MUAHAHA" /> </form> <script> $( '#myForm' ).submit(); </script> Fix: $html .= Html::hidden( 'token', $wgUser->editToken() ); ... if ( !$wgUser->matchEditToken( $token ) ) { // refuse edit CSRFs are one of the most common vulnerabilities online. It allows an attacker to use a third party to submit to a form using your credentials. If your extension doesn't have CSRF protections, that malicious third party form will be used to initiate actions in MediaWiki using the credentials of a logged in user. To handle this, you should use tokens for form submission. MediaWiki has the HTMLForm form class that can be used to build forms that has built in CSRF protection. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

15 General notes on security
Don't trust anyone Sanitize all input Write code that is demonstrably secure Best of all: try to break and hack your own code Don't trust anyone, not even your users. Especially not your users. Sanitize all input, or ensure your output is rock solid, preferably using MediaWiki's WebRequest class, when possible. Unsanitized input is the cause of most vulnerabilities. Use tokens in forms, use the HTMLForm class, if possible as it does this for you to avoid CSRF Write code that is demonstrably secure. This keeps our code reviewers sane, makes your code more likely to pass review, and makes maintaining your code in a secure way much easier. Read Security for developers in the below resources slide. Best of all: try to break and hack your own code. Not only is this good practice, but it is also really fun! I do this a daily as a developer and operations engineer and it keeps my job exciting. I like to do security reviews of other people's code for the same reason. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

16 Coding for WMF: Scalability and performance
Wikimedia sites are huge 5th most visited web presence Code must be: Performant Scalable Wikipedia is huge 50-100k requests per second 2-4k of those fire up MediaWiki enwiki alone has 20 million pages and almost 400 million revisions For your code to handle these conditions, you need to pay attention to scalability and performance Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

17 This is an example of the sites having problems cause of a memory leak in a patch to Varnish. At the beginning of week 40, we put in a patch to do geoip lookups. The patch had a few memory leaks. In weeks 40 and 41 we had site outages because of this because the Varnish servers ran out of memory, and went into swap. This caused a major spike in system load (over 3,000 system load). The memory leaks themselves weren't really that large, but due to the huge number of requests occurring, the systems were leaking roughly 5GB of memory a day. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

18 Then let's talk about scalability and performance!
Every time someone causes an outage because of a software bug, they make a bunny cry. No one wants to make a bunny cry, right? Then let's talk about scalability and performance! Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

19 Coding for WMF: Scalability and performance
Cache Optimize Profile Things to keep in mind when implementing: Cache as much as you can If it is expensive to generate, you should cache it Remember though, that some things are more expensive to cache than to regenerate. Profiling will help here. Optimize database queries Ask for advice! This is a complex subject. Even some of our best developers have problems with this occasionally. Discussing your database queries with some of our experts is a great way to learn, and will help ensure your code is performant Profile MediaWiki has profiling functions built in that run live. Make use of them to find hot spots in your code. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

20 MediaWiki Profiling http://noc.wikimedia.org/cgi-bin/report.py
MediaWiki's profile runs live at all times on WMF sites This lets us see hot spots in our code under real conditions Profling data is sent via UDP to our UDP logging daemon. This is a core feature of MediaWiki, you can use this too! You can also send profiling data to a file, or to a database. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

21 Coding for WMF: Concurrency
Assume a clustered architecture, always Your code will run concurrently It can result in strange bugs Always assume your code is running on a cluster. Always. WMF has ~180 Apache servers running multiple Apache processes Your code will likely run on many instances at the same time This can result in weird bugs you didn't/couldn't notice locally Remember that the database servers are clustered as well Slaves generally have a lag time, so do reads from the master if the data must be up to date Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

22 Closing notes This talk is an incomplete guideline
Being a MediaWiki developer is hard But it is very rewarding! Communication is very important Ask the experts! This talk is an incomplete guideline Being a MediaWiki developer is hard, especially when developing for WMF sites But doing so is very rewarding! Communication is very important Ask the experts! Talk to us on IRC and on the mailing lists. Do it often. We love to help. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

23 Questions / comments? E-mail: Ryan Lane <ryan@wikimedia.org>
IRC: Freenode: #mediawiki, #wikimedia-dev, #wikimedia-tech Mailing lists: mediawiki-l, wikitech-l Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

24 Communication resources
Mailing lists Important lists: mediawiki-l: A MediaWiki support list wikitech-l: A MediaWiki developer's list mediawiki-api: A MediaWIki developer's list for the API IRC channels (on freenode) #mediawiki: A MediaWiki support channel #wikimedia-dev: A MediaWiki developer's channel Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

25 Developer resources - developer hub Developer hub: lists resources, guidelines, and code documentation a How to become a MediaWiki hacker: introduction into how to do MediaWiki development Security for developers: essential security documentation Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

26 Developer resources Coding conventions: conventions required for all Wikimedia run software Localisation: resources to write code that can be easily localised Code review guide: how your code will be reviewed before inclusion MediaWiki is localized in over 300 languages. Ryan Lane, Wikimedia Foundation Inc. How to be part of the MediaWiki developer community

Download ppt "How to be part of the MediaWiki developer community"

Similar presentations

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Computer Science 162 Section 1 CS162 Teaching Staff.

Computer Science 162 Section 1 CS162 Teaching Staff.
When will our bugs be fixed? When will our new features be added? When will the next release come out? Is my server up-to-date? Users Committers Program.

When will our bugs be fixed? When will our new features be added? When will the next release come out? Is my server up-to-date? Users Committers Program.
U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28, 2008 1.

U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28,
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Feedback #2 (under assignments) Lecture Code:

Feedback #2 (under assignments) Lecture Code:
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Web Applications Testing By Jamie Rougvie Supported by.

Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.

Building Secure Web Applications With ASP.Net MVC.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Aaron Corso COSC356-001 Spring 2012. What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
The Site Architecture You Can Edit Varnish Mobile? Ryan Lane Wikimedia Foundation Membase? Swift.

The Site Architecture You Can Edit Varnish Mobile? Ryan Lane Wikimedia Foundation Membase? Swift.
Wikimedia architecture Ryan Lane Wikimedia Foundation Inc.

Wikimedia architecture Ryan Lane Wikimedia Foundation Inc.
Wikimedia architecture Ryan Lane Wikimedia Foundation Inc.

Wikimedia architecture Ryan Lane Wikimedia Foundation Inc.

Similar presentations

Ads by Google