Talk:Wikimedia Security Team/SDLC

"Can a service or tool run on Labs hardware"
I understand the desire for this from the security point of view, but from an organization point of view I feel that steering WMF teams to use Labs as a production environment is really bad. It puts a pressure on the Labs project for 24/7 monitoring and uptime that is unfunded and it steals Labs resources from volunteer projects. Maybe the better replacement is to have people think about running things in the Ganeti cluster in production or working with TechOps and Release Engineering on other forms of isolated production containers? --BDavis (WMF) (talk) 21:51, 28 December 2015 (UTC)
 * Uptime is something that should be factored into, "can this run on labs." If it needs very high uptime and is going to be used by lot of people, then it absolutely should run on the cluster. But there are projects like the WikibaseQuality extensions, GWTools, etc that don't have many users or high uptime requirements, and could have been developed much more effectively if they were designed to run on labs to start. I'll see if I can find a way to make that more clear in these guidelines. And yes, Ops is well acquainted with my begging for isolated production machines, so we can address services that have the uptime requirements but should otherwise be untrusted by the cluster. CSteipp (WMF) (talk) 23:06, 28 December 2015 (UTC)

Duplication
There are multiple pages on this topic, see also Manual:MediaWiki Security Guide. The traditional guideline is Security checklist for developers and Security for developers was the most recent WMF attempt at making review faster for new code. You want to clarify that this page (as far as I understand) only explains what the internal WMF processes are for following and implementing the guidelines which are valid for everyone. Ideally, however, the guidelines should be understandable also for WMF developers. :) Nemo 07:44, 29 December 2015 (UTC)
 * That's a fair point about clarifying this is for WMF teams. I've added that in the intro. This document should provide something of a roadmap for where those other documents fit into the process, since they all deal with different aspects of mediawiki security, and are touched at different points in the sdlc. CSteipp (WMF) (talk) 17:21, 29 December 2015 (UTC)