Page MenuHomeMiraheze

Phabricator is no longer maintained - decide what to do
Closed, ResolvedPublic

Description

Phabricator is no longer maintained upstream. See https://admin.phacility.com/phame/post/view/11/phacility_is_winding_down_operations/.

Also see https://secure.phabricator.com.

Effective June 1, 2021: Phabricator is no longer actively maintained.

We should decide whether we want to keep phabricator or move to another bug tracker.

Event Timeline

Paladox triaged this task as Normal priority.May 29 2021, 22:35

I'd personally say we've got some time to decide here, as it's unlikely there will be any serious security holes near term (within the next three months). Medium to longer term, we'll definitely to migrate, but I think we should be fine over the next three months or so. I'd probably just go with BugZilla, to be honest. It's established, open source, free, and reliable.

I dislike bugzilla tbh. Ugly UI and hard to use.

Wikimedia previously used bugIlla and migrated to phabricator.

I'd personally say we've got some time to decide here, as it's unlikely there will be any serious security holes near term (within the next three months). Medium to longer term, we'll definitely to migrate, but I think we should be fine over the next three months or so. I'd probably just go with BugZilla, to be honest. It's established, open source, free, and reliable.

I don't personally like bugzilla either. But I agree we don't need to decide this immediately, but I do think we should try to decide in a timely matter. As security is a big deal and while unlikely, when Phabricator becomes unmaintained, it does become a security vulnerability, as if one arose, we may not even know it, unless we ourselves discovered it.

What license is Phabricator? There's a good possibility it will be forked as another open source project and maintained on that basis.

I dislike bugzilla like @Paladox. I agree that Phabricator has been extremely low risk from a security standpoint for a long time so it's not a rush.

Let's see if a fork appears in the next few days maybe.

Reading the blog, it looks like very minimal security support will continue to exist.

I wonder what the WMF will do about it. I think they like Phabricator so maybe they'd fork it and maintain it themselves?

I wonder what the WMF will do about it. I think they like Phabricator so maybe they'd fork it and maintain it themselves?

They're talking about it with community but they have a fork already because custom hacks. I've spoke to them about how I'd deploy it so am gonna try that for bots first.

phab.mirahezebots.org is now running the wmf-stable fork

See our puppet for setup

Southparkfan moved this task from Radar to Discussion on the Site Reliability Engineering board.

Maintaining a Phabricator fork on our own is unsustainable. On the other hand, Phabricator is essential to us and migrating to different software is a non-trivial task. If Wikimedia decides to maintain a fork, I think we could join them.

MarioMario456 added a subscriber: MarioMario456.

So far, there are three options: keep normal Phabricator (might be insecure, I don't want this!), fork Phabricator and continue patching it, or move to another bug tracker. So far, Bugzilla is the only good open-source one I know, but many users dislike its GUI.

We have two options: fork Phabricator and continue patching it, or move to another bug tracker. So far, Bugzilla is the best one we've found, but many users dislike its GUI.

There's significant discussion of a community fork probably led by the WMF being operated.

I've already mentioned this elsewhere but if the WMF does indeed decide to maintain it I would use that.

Universal_Omega claimed this task.

Closing as resolved per conversation with @Reception123. If Phabricator continues to be maintained for security, then we'll likely stick with our current Phabricator. If not, then we'll likely switch to the WMF fork.

I will note that there are plans to start a fork of phabricator called forge. (See https://discourse.phabricator-community.org/t/ongoing-communications-fork-etc/4836 for more info)