Page MenuHomeMiraheze

Add extension GeoGebra
Closed, ResolvedPublic

Description

Hi, I would like to request the extension GeoGebra for my wiki.

https://www.mediawiki.org/wiki/Extension:GeoGebra

Event Timeline

Dmehus subscribed.

Recent commit history suggests this is a maintained extension. Extension is categorized as stable, which is a plus. Unless this is used on a Wikimedia wiki, it'll need a security review. It does propose to load external content, but so do many of our extensions, and we do have Content Security Policy that restricts the sites whose content can be loaded.

Unknown Object (User) closed this task as Declined.Jan 18 2021, 19:44
Unknown Object (User) claimed this task.

Declining as unmaintained. While yes there was repository edite 10 days ago, not from the original maintainer, and before that a year ago was the last update to it. In addition to that I hold serious concerns about approving any extensions that load external content. Those 2 things together are leading me to unfortunately decline this extension. I apologize for inconvenience.

@Universal_Omega Why would it matter whether the commits are from the original maintainer? To me, that shouldn't really matter much, if at all, if I'm being honest. The key idea behind open source software is that no one individual owns or controls the code. Take ManageWiki for instance. Sure, @John was the original designer of that extension and likely contributed most of the code, but you have been a significant contributor to that extension, so look it from the perspective of a competing wiki farm that opted not to implement that extension because, imagine hypothetically for a moment that John wasn't contributing to the extension recently. Would that be fair of them to decline it because it's not being maintained by the original maintainer?

It sounds like you haven't done a full security review of the extension and are rather quick to close this Phabricator task for the sake of closing this Phabricator task. Maybe it ultimately gets declined, but I think it at least warrants a full security review—whenever you have time, maybe that's in a week, two weeks, or even three weeks—and then you can privately report the findings of your security review to @Southparkfan. If there's agreement that it should be declined, then it should be declined.

Hope that makes sense.

Unknown Object (User) added a comment.Jan 19 2021, 01:53

I suppose you make good points, but the nature of the extension, I feel requires it to be maintained, and while if there were more common commits to the code, we could consider it, I do feel like this still should be declined. After recent events with extensions allowing the embedding of data, I am very hesitant to approve extensions that do such things. As for your point about managewiki, it has multiple active full maintainers including John, therefore that point is kind of mute. As for reporting my end findings to Southparkfan, I would do that if I was unsure only, southparkfan is busy and has other stuff to do then review all of my reviews and then there would be no point in having other reviewers but Southparkfan. I may look at the code of this extension more closely later, but as for now, the decline sticks.

I would also like to add that I did not decline it because it was not the original maintainer, but because there is no fully active maintainer for the extension. I hope I made sense here.

Regarding the loading of external resources, our CSP limits that but I don't see any issue with a popular, well known educational site.

Unknown Object (User) reopened this task as Open.Jan 19 2021, 07:12

I guess I'll do a proper full review of the extension. Will do so tomorrow. Thanks!

Adding Site Reliability Engineering so 2 sre members can approve adding cdn.geogebra.org (for https://cdn.geogebra.org/apps/deployggb.js) to be added to the CSP whitelist.

Unknown Object (User) moved this task from Radar to Discussion on the Site Reliability Engineering board.Jan 19 2021, 18:30

The extension itself I did have concerns about methods used and readability of the extension is not the best, but security-wise everything looks alright.

Unknown Object (User) removed a project: Site Reliability Engineering.EditedJan 28 2021, 18:22

CSP was approved by SRE and it has now been whitelisted. Will install extension shortly.

Apparently I've already awarded a token, so I can't award another token for completion, so 👍 from me instead.

Unknown Object (User) closed this task as Resolved.Jan 31 2021, 02:01