Talk:Requests for comment/Debugging at production server

Notes from the IRC meeting on June 11th
We discussed this RfC in the Architecture meetings/RFC review 2014-06-11. Summary:


 * Debugging at production server (sumanah, 21:37:45)
 * LINK: https://www.mediawiki.org/wiki/Requests_for_comment/Debugging_at_production_server (sumanah, 21:38:08)
 * This RfC is by devunt. I asked devunt to be here but I didn't give him/her enough notice, sorry (sumanah, 21:38:14)
 * "Problem: Sometimes we have to debug on production wiki, but don't want to show internal information to normal users... But the current architecture of debugging toolbar is available for everyone, so some internal information, like the server's directory structure, debug logs, and so on, can be leaked." (sumanah, 21:38:20)
 * Proposal: change things so that only selected users can use the debugging toolbar, and implement this using user rights. (sumanah, 21:38:40)
 * LINK: https://gerrit.wikimedia.org/r/#/c/119002/ is the patch (sumanah, 21:38:56)
 * at least some people are interested in turning this on in WMF land, such as beta (sumanah, 21:41:02)
 * LINK: http://www.mediawiki.org/wiki/Debugging_toolbar <- for those not familiar with the feature (sumanah, 21:43:16)
 * ACTION: greg-g to ask Bryan about how whether structured logging is a way around the private data issue for this RfC (sumanah, 21:50:54)
 * Yeah, I would worry about things like redis/db passwords showing up... but I'd have to look at it a little more (sumanah, 21:51:26)
 * ACTION: devunt to review https://www.mediawiki.org/wiki/Security_for_developers/Architecture#What_are_we_trying_to_protect.3F and draw a data flow diagram https://www.mediawiki.org/wiki/Security_for_developers/Architecture#Threat_Modeling and reach out to Chris Steipp once that's done (sumanah, 21:54:57)

So,, we'd like for you to review https://www.mediawiki.org/wiki/Security_for_developers/Architecture#What_are_we_trying_to_protect.3F and draw a data flow diagram https://www.mediawiki.org/wiki/Security_for_developers/Architecture#Threat_Modeling and reach out to Chris Steipp once that's done. Does that make sense?

Thanks for putting together this RfC! It looks like an idea that a lot of people like! Sharihareswara (WMF) (talk) 19:56, 12 June 2014 (UTC)