There are some remaining non-security bugs with this that I'll follow up on in T13682. I believe the security side of this is now resolved.

The details of this attack will be disclosed at a later date, once installs have had some sort of plausible chance to upgrade.

See also T13588.

Purely venting, but the advanced version of "click here to schedule a mysterious meeting" is to outright lie -- pretending that you deeply respect the recipient's achievements -- before asking them to schedule a mysterious meeting.

I think lint could reasonably emit two warnings about this:

Please use Discourse to discuss Phabricator.

This task references more details on "Excuses" and "Prompts", but there isn't any. Is there any way to provide context around lint issues?

See also PHI1605 (internal), which provides some evidence that:

In jira 8.6.1 settings are now in:

• Administration → Applications → Application links

Another variation of this is "add more documentation", although I think the pattern around this one is more rarely a sort of "problem domain / solution domain mismatch" sort of issue and more often a "human communication" issue, usually with one of these two templates:

For all who might need to migrate from trac to Phabricator, feel free to borrow from this bare-bone script: https://gitlab.com/simevo/trac2phab

The answer here is now pretty unambiguously "Use Webhooks". feed.http-hooks is formally deprecated, Herald remains a terrible idea, and anyone brave enough to touch Doorkeeper can probably figure things out for themselves.

(This seems stable now, and there's no specific action here.)

This seems to have quieted down, now.

See PHI1125. Recent versions of JIRA (JIRA 8?) still work with approximately the same instructions, but you have to fill out a modal dialog with about 7 required fields first, and none of the fields have real values. That is, the configuration instructions for recent JIRA are:

This change broke the search dialog on tags typeaheads...

Not exactly related, but PEAR got compromised: https://news.ycombinator.com/item?id=18987518

(Please use Discourse for this sort of discussion.)

It's been several year's since this task has been opened up, and it's not clear what the current progress on this. Is there a way that versioning please be added to GitHub, per the recommendations on https://github.com/Homebrew/homebrew-php/pull/3864 ? I'm not able to install arcanist currently using homebrew because there isn't a stable tagged version newer than one from 2012.

This appears to be stable and working properly. D19897 removes a straggling guardrail.

There are probably some stragglers that have yet to turn up, but we appear to have survived this largely unscathed.

Are colons (:) supported between the keywords and the objects? E.g. Fixes: adcbdef or Depends On: D123?

I'm going to start landing this stuff now. master will start complaining about unsafe queries all over the place (although much less frequently than it was when I first added the warning). Depending on how much complaining still exists on Friday I might make the warning developer-only, but I'm currently hopeful that I can clean up most of it before the next release promotes.