wiki configuration downlevel WRT security releases

[tomroche]

summary

The ​OSGeo wiki is significantly downlevel from latest security updates for several ​components that I can see, and possibly others I can't (notably Debian). This should be fixed ASAP--running downlevel code is a good way to get hacked, which is always bad public relations (PR)--either by "just doing it" on our own host, or renting from a Semantic MediaWiki provider.

Apologies if this has already been discussed on ​security-priv, but I can't see its archives (​by design). I also don't see

• another ticket discussing this (apologies if I missed something in search)
• another way to non-publicly ​share a security concern with OSGeo (ditto)

details

Currently, per ​Special:Version the OSGeo wiki has

component	current version
name	installed	secure
MediaWiki	1.25.3	1.27.1 (per ​top of current Recent News)
PHP	5.3.3-7+squeeze29	5.6.28 (per ​top of current News Archive)
MySQL	5.1.73-1+deb6u1	5.7.x? am checking, will comment this ticket
extension
name	installed	latest
Semantic MediaWiki	2.3	2.4.1 (per ​its page)
Semantic Forms	3.4	4.0.1 (see note following)
Semantic Maps	3.2	4.0 (see note following)
Semantic Result Formats	2.3	2.4 (per ​its page)

Note the above is an excerpt, not a complete list. But merely from the above, this install is looking quite downlevel: e.g., MySQL 5.1 dates from 2008-9. Worse yet, if the wiki is on Debian 6/Squeeze (as suggested by the MySQL and PHP version names above), rather than the ​current-stable (Debian 8/Jessie), that's a major problem, which will almost certainly obstruct upgrading components above. Furthermore, note

• for ​forms support, the wiki currently has extension=Semantic Forms @ version=3.4. As noted at ​its page, this extension has been renamed to Page Forms and its latest version=4.0.1.
• per ​its page, extension=Semantic Maps has also been moved/renamed to Maps, for which latest version=4.0 (per ​its page).

I definitely understand that admin-ing is "real work," and it's work I don't have time to do. However, security of a world-readable service must not be ignored. If we lack the time/labor resources to keep security-uplevel, we should consider using one of the available Semantic MediaWiki providers--presuming they are security-uplevel, which we'd need to check. Unfortunately, if we wanna keep the osgeo.org domain for the wiki, we would probably need to purchase ​Referata's ''Enterprise'' SLA, which is 80 $/mo. (Another provider is wikihoster.net, but ​their site is in German and mine is not good: all I can see is that a .org domain will cost 30 €/mo in addition to something (it's an zusätzlichen fakultativen Leistungen, which ~= optional add-on), but I'm not sure what to add that to.) If the wiki could live inside someone else's domain, however, we could use (depending on data size) Referata's Basic/free service, or (if we qualify as "biology-related") ​Biowikifarm, which is run by a German public consortium with EU money.

[tomroche]

More research, refactoring: see updated lists of

• ​current installed versions: same versions, better descriptions
• ​current desired/target versions (i.e., what we need to get to): changed some versions after further research.

I'll continue updating status at that repo, and make comments with links on update (rather than copy/mod changes as comments).

[tomroche]

Regarding the insecurity of the current wikihost configuration, see ​this thread on SMW-users. Regarding contributors to that thread, note that Jeroen De Dauw is ​SMW's co-core developer and Karsten Hoffmeyer (kghbin) is the ​editor in chief of SMW's website and doc (as well as the operator of ​WikiHoster).

[strk]

Please refer to #2004 for wiki upgrade task.