Toolhub/Progress reports/2021-08-13

Toolhub

• User manual
• About
• Reports
  • Decision record
  • Progress reports
• Feedback

Report on activities in the Toolhub project for the week ending 2021-08-13.

The initial findings of the security review were delivered on 2021-08-09 as expected. Many thanks from the team to Scott Bassett for his work on this important task. Bryan has attempted to triage the feedback into things that need to be fixed prior to launch and things that need more investigation or are blocked for technical reasons:

Required interventions

• Done Update Toolhub python dependencies with known security patches
• Done Update nodejs libraries that fall within current semver constraints
• Done Add timeouts to crawler calls to external URLs
• Done Add `force_escape` filter to Django template translation content
• Ensure that production deployment includes a Strict-Transport-Security header for toolhub.wikimedia.org

Desired improvements

• Find vulnerabilty scanner to run periodically on Toolhub python dependencies
• Investigate replacing vue-cli with vite and webpack with rollup for Toolhub

Kunal Mehta from the Foundation's Service Operations team and technical volunteer Majavah submitted a flurry of patches earlier this week that move us closer to the production deployment. We believe the remaining work (besides testing all of these changes!) will be to connect the Toolhub service running in the Kubernetes cluster with the Varnish service which is part of the Wikimedia CDN.

An omnibus patch of user interface improvements authored by Srishti was merged this week. These changes to the spacing, colors, and size of various user interface elements are inspired by our past design review from folks working for the Foundation's Product Design team.

We very recently realized that establishing a content license for the toolinfo records and lists stored in Toolhub had been overlooked. T288832 has been created to track this need. Bryan has reached out to the Foundation's Legal team for their professional advice on how to establish the default license. Watchers should not expect to see detailed information from the Legal team on the Phabricator task for reasons which are explained at Wikimedia Legal Disclaimer.

Community members with strong and informed opinions on CC0 and CC-BY-SA license strengths and weakness are invited to provide their comments on the task as well.

As reported last week and the week before, we will be holding some Toolhub focused sessions during Wikimania 2021.

• Lightning talk titled "How to find tools to improve your workflows" on 2021-08-14 at 16:15 UTC in "building 4" of the main conference.
• Unconference sessions
  • Toolhub Introduction, Saturday 2021-08-14, 18:00-18:30 UTC
  • Quality Signal Sessions: The Wikimania edition, Sunday 2021-08-15, 18:00-18:30 UTC
  • Quality Signal Sessions: The Wikimania edition, Sunday 2021-08-15, 18:30-19:00 UTC

All long term watchers of the project will likely realize that we did not achieve our hoped for 2021-08-12 production deployment target. We came very close, but ultimately there were more tasks left to complete in the final week than it was reasonably possible to accomplish. Bryan hopes that everyone is understanding of these delays, but also informed of what remains to be done and progress on those goals.