Talk:Wikimedia Security Team/Security reviews

If this is supposed to be a development policy, it should probably be a top level page like "Wikimedia security review policy" instead of under a team subpage. Also it shouldn't be a draft either ;) Legoktm (talk) 22:59, 7 March 2016 (UTC)Reply

Hi. For our project Wikispeech we will eventually need a security review but already at the outset there are a few questions which would simplify things later on.

1. ) Is there any limitations in which languages the code must be written in? Wondering since the existing code, and third-party libraries, is currently written in multiple languages.
2. ) Does this, and security review in general, differ between code which is live in extensions/services and code which isn't (e.g. code which is used to train speech models)?

Thanks for any clarifications, André Costa (WMSE) (talk) 09:05, 9 May 2016 (UTC)Reply

Hi. My following answers are not authoritative. Yes to both questions. The language the code is written in is probably less important than how the code is written in that language and the architecture is more important. With Wikispeech I assume most of the code will not need to handle security sensitive information and thus by isolating that code from everything else only that isolation mechanism needs a security review. Maybe an isolation mechanism that is already reviewed and used in production can be reused. (Does any of the services done by the services team, video transcoding, thumbnailing or pdf generation use sufficient isolation?). Note that even if you don't e.g. run the code to train speech models on the same servers that respond with the rendering of a reading of an article, at some point someone needs to run that code, so you might want to provide an isolated, automated, easy way to do that, like a job that automatically runs on the Wikimedia continuous integration infrastructure (which can provide isolation) whenever someone changes the training set. I'd suggest to create a task for the security review of Wikispeech and instead of providing the finished project, start with providing the information to do a design or concept review. -- Jan Zerebecki 14:05, 9 May 2016 (UTC)Reply

Thanks for the feedback. I'll bring this back to the team and suggest a design/concept review once we have more details in place. Cheers /André Costa (WMSE) (talk) 08:36, 20 May 2016 (UTC)Reply