Am Dienstag, 31. Januar 2017, 15:22:21 CET schrieb Christoph Wickert:
AFAIK Christian packaged everything we need to update
1.27 and successfully runs the new version on his laptop already.
What prevents us from updating? Do we already have a test machine in
our infrastructure where interested wiki editors could play around?
Looks like you missed the Heroes meeting on Jan 8 ;-) - and reminds me
that Theo promised to send meeting minutes ;-)
I hope you have some time to read a longish mail ;-)
We have a working test setup at en.test.opensuse.org
. It's basically
working and completely setup with salt (except uploaded files and
However, it still misses some things, for example
- authentification via Access Manager. Right now, you can use
Special:PasswordReset to mail you a password and have to login at
Special:login. The "usual" pretty login form doesn't work yet.
The funny detail is that MediaWiki changed its authentification code
completely, so we can a) rewrite our auth extension from scratch or
b) switch to OpenID.
- search - also a big change, from Lucene to ElasticSearch. Sarah will
help me with this in the next days.
- memcached (for storing session data)
I looked into OpenID  today, and it started in some funny[tm] ways.
First, I found out that removing the public IP from the test wiki VM
(it's behind HAProxy now) broke the default route, with the result that
our OpenID provider URL https://www.opensuse.org/openid/user/
reached by the OpenID extension. Then I found out that outgoing requests
are firewalled (allowed now, thanks Theo!) with the same result.
Another funny lesson I learned is that the OpenID extension needs access
to /dev/urandom, which was prevented by the PHP open_basedir setting.
On the positive side, I learned that open_basedir allows to add the
complete filename, so I didn't need to allow all of /dev/.
After these challenges, the OpenID integration finally worked. However,
after login I end up with a form  that allows to choose an username,
which can be
- an existing user (this will fail because our accounts don't have a
password in the MediaWiki database)
- the realname ("Christian Boltz"), also not what we want
- an ugly auto-generated name like "OpenIDUser2")
- any user-chosen name
These options make sense for OpenID in general (if you allow logging in
with various providers, it's a good idea to allow users to choose their
username), but it doesn't make sense in our setup which only allows
It's possible to disable some of these via config options, but
unfortunately there doesn't seem to be a way to enforce the username
used in the Access Manager login in the OpenID extension :-(
Also, I don't know how to restrict OpenID login to users who have
verified their mail address. But hey, we learned that even spammers come
with verified mail addresses nowadays, so maybe we shouldn't care too
much about this detail ;-)
Especially the option to choose a username that differs from the
openSUSE login is a no-go, so I'm afraid we'll have to drop the idea of
using OpenID to handle the login.
(Nevertheless, the "wasted" time was worth it because I learned some
things about OpenID.)
Writing something on top of the PluggableAuth extension  might be an
alternative. On a first look it looks promising and quite easy - I hope
for less than 50 lines of custom code ;-) and can probably say more
after actually testing this extension and writing the needed code.
Needless to say that all these "little" things are probably bigger and
more time consuming than they might look ;-)
Besides that, a side goal is to do everything with Salt. This is of
course a good idea and very nice on the long term, but on the short term
it causes quite some delays  until we have everything in place.
Packaging MediaWiki and the extensions  also took some time, but much
less that learning salt ;-)
If you are interested in more technical details: the packages are in OBS
(home:cboltz:infra) and some openSUSE-specific files (like the openSUSE
skin) are on github.com/cboltz/wiki
 I noticed that the *.opensuse.org SSL certificate doesn't match
because of the additional dot, so maybe we'll
change the domain name once more ;-) (probably to en-test.o.o)
to avoid certificate warnings in the browser
 I'm new to Salt, so it took some time to get started. Also, the
usual thing happened - mysql-formula exploded when I touched it ;-)
At the moment, I'm using mysql-formula with my fixes on top, and wait
for an answer to my bugreports.
 Packaging become funny[tm] if an extension needs to be installed via
Verschlüsselt auf diese Mailingliste? Das solltest Du
Vielleicht 'ne Gegenmaßnahme gegen die Datensammelwut von NSA und
Der Adressat kanns lesen und sonst weiß keiner, was drinsteht und wer
gemeint ist. ;-) [> Johannes Diestelmann und Rolf Muth in opensuse-de]
To unsubscribe, e-mail: heroes+unsubscribe(a)opensuse.org
To contact the owner, e-mail: heroes+owner(a)opensuse.org