Re: MediaWiki-l Digest, Vol 147, Issue 3

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

Jan Steinman-2
I'm not exactly a "noob", but I haven't kept up with PHP changes -- what is running is running, so why change?

So I was just punting on the "how long will it take to upgrade?" question. (I said "More than an hour", because just finding out the impact will take that long!)

So what exactly is the expected impact of upgrading PHP 5.3.8 to 5.5 or greater? (Note: I'm now officially in that "more than an hour" of upgrading.)

Having been stung by various upgrades over the years, I tend to not touch stuff that isn't broken. I'm running several MediaWiki sites between 1.13 and 1.16. I'd sorta like to upgrade, but I don't know what that buys me, and y'know, they're all working... :-)

Jan

On 2015-12-04, at 04:00, [hidden email] wrote:

> Send MediaWiki-l mailing list submissions to
> [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> or, via email, send a message with subject or body 'help' to
> [hidden email]
>
> You can reach the person managing the list at
> [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MediaWiki-l digest..."
>
>
> Today's Topics:
>
>   1. What PHP version do you use? (Tim Starling)
>   2. Re: What PHP version do you use? (Bill Traynor)
>   3. Re: What PHP version do you use? (Tim Starling)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 4 Dec 2015 12:25:41 +1100
> From: Tim Starling <[hidden email]>
> To: [hidden email]
> Subject: [MediaWiki-l] What PHP version do you use?
> Message-ID: <n3qq2m$92u$[hidden email]>
> Content-Type: text/plain; charset=utf-8
>
> If you manage a MediaWiki instance, please tell us what PHP version
> you use, and some other relevant information, by filling out this form:
>
> <https://docs.google.com/forms/d/1Z-io754bUxVujh100D4xvIwkiBIFk9Ef0j4TYrJ2zMc/viewform>
>
> You may have seen on wikitech-l that there is some controversy over
> whether we should require PHP 5.5 in the next major release of
> MediaWiki. I made this little survey in the interests of gathering
> some extra data to support our decision, beyond what we already have
> from WikiApiary.
>
> You don't need to log in to fill out the form, and no personal
> information will be forwarded to us.
>
> -- Tim Starling
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 3 Dec 2015 20:54:35 -0500
> From: Bill Traynor <[hidden email]>
> To: MediaWiki announcements and site admin list
> <[hidden email]>
> Subject: Re: [MediaWiki-l] What PHP version do you use?
> Message-ID:
> <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> Can we fill it out multiple times if we run manage more than one instance?
>
>
> On Thu, Dec 3, 2015 at 8:25 PM, Tim Starling <[hidden email]> wrote:
>> If you manage a MediaWiki instance, please tell us what PHP version
>> you use, and some other relevant information, by filling out this form:
>>
>> <https://docs.google.com/forms/d/1Z-io754bUxVujh100D4xvIwkiBIFk9Ef0j4TYrJ2zMc/viewform>
>>
>> You may have seen on wikitech-l that there is some controversy over
>> whether we should require PHP 5.5 in the next major release of
>> MediaWiki. I made this little survey in the interests of gathering
>> some extra data to support our decision, beyond what we already have
>> from WikiApiary.
>>
>> You don't need to log in to fill out the form, and no personal
>> information will be forwarded to us.
>>
>> -- Tim Starling
>>
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 4 Dec 2015 14:34:45 +1100
> From: Tim Starling <[hidden email]>
> To: [hidden email]
> Subject: Re: [MediaWiki-l] What PHP version do you use?
> Message-ID: <n3r1km$me3$[hidden email]>
> Content-Type: text/plain; charset=utf-8
>
> Good question. I'm most interested in the amount of work it will take
> to upgrade PHP, so if you manage a hundred identical servers and will
> upgrade them all in bulk, then you shouldn't submit the form more than
> once, because that would be overrepresentative. But if you consult on
> several completely separate systems, each with their own quirks and
> dependencies, then I suppose it makes sense to submit the form more
> than once.
>
> I've added a checkbox to the form so that you can tell us if you are
> submitting it more than once.
>
> -- Tim Starling
>
> On 04/12/15 12:54, Bill Traynor wrote:
>> Can we fill it out multiple times if we run manage more than one instance?
>>
>>
>> On Thu, Dec 3, 2015 at 8:25 PM, Tim Starling <[hidden email]> wrote:
>>> If you manage a MediaWiki instance, please tell us what PHP version
>>> you use, and some other relevant information, by filling out this form:
>>>
>>> <https://docs.google.com/forms/d/1Z-io754bUxVujh100D4xvIwkiBIFk9Ef0j4TYrJ2zMc/viewform>
>>>
>>> You may have seen on wikitech-l that there is some controversy over
>>> whether we should require PHP 5.5 in the next major release of
>>> MediaWiki. I made this little survey in the interests of gathering
>>> some extra data to support our decision, beyond what we already have
>>> from WikiApiary.
>>>
>>> You don't need to log in to fill out the form, and no personal
>>> information will be forwarded to us.
>>>
>>> -- Tim Starling
>>>
>>>
>>> _______________________________________________
>>> MediaWiki-l mailing list
>>> To unsubscribe, go to:
>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
> ------------------------------
>
> End of MediaWiki-l Digest, Vol 147, Issue 3
> *******************************************

:::: You know what? What makes our economy grow is energy. And Americans are used to going to the gas tank (sic), and when they put that hose in their, uh, tank, and when I do it, I wanna get gas out of it. And when I turn the light switch on, I want the lights to go on, and I don't want somebody to tell me I gotta change my way of living to satisfy them. Because this is America, and this is something we've worked our way into, and the American people are entitled to it, and if we're going improve (sic) our standard of living, you have to consume more energy. -- Chuck Grassley
:::: Jan Steinman, EcoReality Co-op ::::


_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

Alex Monk
On 4 December 2015 at 19:52, Jan Steinman <[hidden email]> wrote:

> Having been stung by various upgrades over the years, I tend to not touch
> stuff that isn't broken. I'm running several MediaWiki sites between 1.13
> and 1.16. I'd sorta like to upgrade, but I don't know what that buys me,
> and y'know, they're all working... :-)
>

Are you aware of what security issues (which are now public) your wikis are
vulnerable to? I am very sceptical that stuff "isn't broken", although I
(personally) am not going to research old issues, find your wiki, and then
attack it, to make a point. Have you really backported/rewritten patches
for all of them yourself? I've been involved in MediaWiki development for a
few years now - and 1.16 was obsolete before I started.
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

chris tharp-2
Hi Alex and All others,

Doesn't this very issue go to the heart of the Mediawiki survey of Stakeholders found? Accordingly to the slideshow on that survey 71% of all independent users of Mediawiki use an old outdated version of the software. I think we can safely assume almost all of those users have not updated their sites with security patches. The problem is the technical knowledge to update Mediawiki is above the average user of the software and/or they lack command line access. By not having an easy GUI to both update the software and the extensions to the software it effectively leads to a lot of sites running with the ghost of Christmas past.

Sent from my iPad

> On Dec 4, 2015, at 12:29 PM, Alex Monk <[hidden email]> wrote:
>
>> On 4 December 2015 at 19:52, Jan Steinman <[hidden email]> wrote:
>>
>> Having been stung by various upgrades over the years, I tend to not touch
>> stuff that isn't broken. I'm running several MediaWiki sites between 1.13
>> and 1.16. I'd sorta like to upgrade, but I don't know what that buys me,
>> and y'know, they're all working... :-)
>>
>
> Are you aware of what security issues (which are now public) your wikis are
> vulnerable to? I am very sceptical that stuff "isn't broken", although I
> (personally) am not going to research old issues, find your wiki, and then
> attack it, to make a point. Have you really backported/rewritten patches
> for all of them yourself? I've been involved in MediaWiki development for a
> few years now - and 1.16 was obsolete before I started.
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

Francis Franck
Dear all

I fully agree with [hidden email]
Keeping Mediawiki and its extensions (such as Semanticmediawiki and many
others) up to date isn't an easy job and this is proven by the number of
outdated versions still in use. The task may be made easier by Composer and
other developments, but these are not available to all of us.

Personally I'm trying to stay on track but I'm often struggling with
unexpected problems.

Kind regards

Francis

On Fri, Dec 4, 2015 at 10:28 PM, <[hidden email]> wrote:

> Hi Alex and All others,
>
> Doesn't this very issue go to the heart of the Mediawiki survey of
> Stakeholders found? Accordingly to the slideshow on that survey 71% of all
> independent users of Mediawiki use an old outdated version of the software.
> I think we can safely assume almost all of those users have not updated
> their sites with security patches. The problem is the technical knowledge
> to update Mediawiki is above the average user of the software and/or they
> lack command line access. By not having an easy GUI to both update the
> software and the extensions to the software it effectively leads to a lot
> of sites running with the ghost of Christmas past.
>
> Sent from my iPad
>
> > On Dec 4, 2015, at 12:29 PM, Alex Monk <[hidden email]> wrote:
> >
> >> On 4 December 2015 at 19:52, Jan Steinman <[hidden email]> wrote:
> >>
> >> Having been stung by various upgrades over the years, I tend to not
> touch
> >> stuff that isn't broken. I'm running several MediaWiki sites between
> 1.13
> >> and 1.16. I'd sorta like to upgrade, but I don't know what that buys me,
> >> and y'know, they're all working... :-)
> >>
> >
> > Are you aware of what security issues (which are now public) your wikis
> are
> > vulnerable to? I am very sceptical that stuff "isn't broken", although I
> > (personally) am not going to research old issues, find your wiki, and
> then
> > attack it, to make a point. Have you really backported/rewritten patches
> > for all of them yourself? I've been involved in MediaWiki development
> for a
> > few years now - and 1.16 was obsolete before I started.
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

Bill Cole
In reply to this post by Jan Steinman-2
On 4 Dec 2015, at 14:52, Jan Steinman wrote:

> So what exactly is the expected impact of upgrading PHP 5.3.8 to 5.5
> or greater?

The folks who have been squabbling over control of your hijacked server
will stop doing so, because the latest bunch willing to coexist with
each other won't have a steady stream of script kiddie competitors. But
don't worry: if you only go to the last 5.5, you'll probably have a new
flow of friends to co-administer your server in a few months.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

Gordon Joly
In reply to this post by Francis Franck
On 05/12/15 11:24, Francis Franck wrote:
> I fully agree with [hidden email]
> Keeping Mediawiki and its extensions (such as Semanticmediawiki and many
> others) up to date isn't an easy job and this is proven by the number of
> outdated versions still in use. The task may be made easier by Composer and
> other developments, but these are not available to all of us.


I wonder why a version update system such that used by Drupal (and other
systems) does not exit for Mediawiki....

Gordo



_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki-l Digest, Vol 147, Issue 3

Tim Starling-2
In reply to this post by Jan Steinman-2
On 05/12/15 06:52, Jan Steinman wrote:
> I'm not exactly a "noob", but I haven't kept up with PHP changes --
> what is running is running, so why change?

It is important to keep up with security releases. If your server is
compromised, it can be used to host fraudulent websites, participate
in DDoS attacks and send spam. The criminals of the internet depend on
people like you who don't care about security. You are an essential
part of their infrastructure.

> So I was just punting on the "how long will it take to upgrade?"
> question. (I said "More than an hour", because just finding out the
> impact will take that long!)
>
> So what exactly is the expected impact of upgrading PHP 5.3.8 to
> 5.5 or greater? (Note: I'm now officially in that "more than an
> hour" of upgrading.)
>
> Having been stung by various upgrades over the years, I tend to not
> touch stuff that isn't broken. I'm running several MediaWiki sites
> between 1.13 and 1.16. I'd sorta like to upgrade, but I don't know
> what that buys me, and y'know, they're all working... :-)

I can't say I have tried to run MediaWiki 1.13 (released in 2008) on
PHP 5.5. Maybe it would work.

I was just looking for my notes on how hard it is to upgrade
MediaWiki. It looks like I had a similar conversation with you back in
2008, about upgrading from 1.3! Good times.

Note that 1.3 -> 1.13 was a gap of 4 years, and it's now been another
7 years after that. So maybe it is about time for another upgrade?

Normally, upgrading PHP is very simple, because by the time you
upgrade PHP, you've already upgraded MediaWiki to a version which has
been tested on the new version of PHP. Your case is not normal. That
is the price you pay for upgrading MediaWiki as often as other people
paint their houses.

I think you should take your site down for "scheduled maintenance",
and while it is down, upgrade PHP and any other dependencies such as
MySQL and the rest of the Linux distro, and then upgrade MediaWiki to
1.23. That is, don't bother testing MW 1.13 on PHP 5.5, it doesn't
matter if it doesn't work if you are halfway through an upgrade.

If you really hate upgrading things, you should take steps to make it
easy. Use PHP from an Ubuntu LTS package, don't compile your own. Use
unattended-upgrades to get security releases automatically. Don't
change any files that were distributed with MediaWiki.

-- Tim Starling


_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l