Related: T5536 and T5542, albeit these tasks are security sensitive (whereas this one is public), so do not talk about those here yet.
SaltStack is vulnerable to an exploit effectively granting root privileges to anyone: see https://saltexploit.com/. Fortunately, we patched quickly, but it does raise multiple questions regarding our SaltStack configuration (which is why SRE has removed SaltStack tools from the servers). There are multiple CVEs for the Salt master, yet the Salt master was publicly reachable for everyone and at first glance it looks like security recommendations were not adhered. @Paladox suggested we move to Cumin (which relies on SSH, not agents), but that is one of the many options to go for. Important: even if we decide to drop Salt, we must still determine why Miraheze was exposed to such risks in the first place.