[Wikimedia-l] Creation of separate user group for editing sitewide CSS/JS

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Wikimedia-l] Creation of separate user group for editing sitewide CSS/JS

Bodhisattwa Mandal
Hi,

I accidentally checked this meta page
<https://meta.wikimedia.org/wiki/Creation_of_separate_user_group_for_editing_sitewide_CSS/JS>
today, when another editor forwarded me the link in Facebook. Here it has
been proposed that admins will be stripped off to edit js/css pages because
of security reasons. The way this is being handled is rather disturbing to
me.

1) Not all communities have been informed about this future change (
https://meta.wikimedia.org/wiki/Distribution_list/Technical_Village_Pumps_distribution_list
)

2) The comments in the meta talk page suggests that there is no intention
to get opinions from editor community members. Everything seems to be
pre-decided by the developer community and we dont have other options but
to accept the proposal without proper discussion.
(
https://meta.wikimedia.org/wiki/Talk:Creation_of_separate_user_group_for_editing_sitewide_CSS/JS
)

3) Many admins from smaller wikis have expressed their concerns that this
decision will severely affect the workflow of those wikis, but none of
these concerns are addressed.

4) Many editors have expressed concern over just 2 week short notice period
for this transition. But that concern is also not addressed.

Regards,

Bodhisattwa
Bengali community
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Creation of separate user group for editing sitewide CSS/JS

Alex Monk
On 10 July 2018 at 12:06, Bodhisattwa Mandal <[hidden email]>
wrote:

> 1) Not all communities have been informed about this future change (
> https://meta.wikimedia.org/wiki/Distribution_list/Technical_Village_Pumps_
> distribution_list
> )

The plan appears to be to do this, maybe it just hasn't happened yet:
https://meta.wikimedia.org/wiki/Talk:Creation_of_separate_user_group_for_editing_sitewide_CSS/JS#Announcement_plan

2) The comments in the meta talk page suggests that there is no intention
> to get opinions from editor community members. Everything seems to be
> pre-decided by the developer community and we dont have other options but
> to accept the proposal without proper discussion.
> (
> https://meta.wikimedia.org/wiki/Talk:Creation_of_separate_user_group_for_
> editing_sitewide_CSS/JS
> )
>
It's a software security decision so editor community acceptance of this
change is optional, but there is an attempt to get the opinions of editor
community members (if there wasn't there wouldn't even be a page on meta
about this). These rights should never have been bundled with sysop rights,
they are incredibly dangerous and more on the level of bureaucrat/steward
than anything else in the sysop rights list.

3) Many admins from smaller wikis have expressed their concerns that this
> decision will severely affect the workflow of those wikis, but none of
> these concerns are addressed.
>
I don't see how. The current local group the rights are granted by is
bureaucrat-grantable, and the new local group the rights will be granted by
will be bureaucrat-grantable.


> 4) Many editors have expressed concern over just 2 week short notice period
> for this transition. But that concern is also not addressed.
>

If we were to say that stewards would be allowed to assign the rights to
any existing local admin (without extra discussion) on the conditions that:
1) they were an admin at the time of the group losing its rights and have
not lost any local rights since
2) there have been no local bureaucrats active on the wiki since the change.
I think this would be fine.
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Creation of separate user group for editing sitewide CSS/JS

Strainu
2018-07-10 20:38 GMT+03:00 Alex Monk <[hidden email]>:

> On 10 July 2018 at 12:06, Bodhisattwa Mandal <[hidden email]>
> wrote:
>
>> 1) Not all communities have been informed about this future change (
>> https://meta.wikimedia.org/wiki/Distribution_list/Technical_Village_Pumps_
>> distribution_list
>> )
>
> The plan appears to be to do this, maybe it just hasn't happened yet:
> https://meta.wikimedia.org/wiki/Talk:Creation_of_separate_user_group_for_editing_sitewide_CSS/JS#Announcement_plan
>
> 2) The comments in the meta talk page suggests that there is no intention
>> to get opinions from editor community members. Everything seems to be
>> pre-decided by the developer community and we dont have other options but
>> to accept the proposal without proper discussion.
>> (
>> https://meta.wikimedia.org/wiki/Talk:Creation_of_separate_user_group_for_
>> editing_sitewide_CSS/JS
>> )
>>
> It's a software security decision so editor community acceptance of this
> change is optional, but there is an attempt to get the opinions of editor
> community members (if there wasn't there wouldn't even be a page on meta
> about this). These rights should never have been bundled with sysop rights,
> they are incredibly dangerous and more on the level of bureaucrat/steward
> than anything else in the sysop rights list.
>
> 3) Many admins from smaller wikis have expressed their concerns that this
>> decision will severely affect the workflow of those wikis, but none of
>> these concerns are addressed.
>>
> I don't see how. The current local group the rights are granted by is
> bureaucrat-grantable, and the new local group the rights will be granted by
> will be bureaucrat-grantable.

The problem is that smaller wikis don't have bureaucrats either and
there have been some very harsh proposals on that talk page with
regards to how the user right should be provided by stewards. Having
some kind of global policy (like the one you propose below) before
deploying would probably ease a lot of the fears.

>
>
>> 4) Many editors have expressed concern over just 2 week short notice period
>> for this transition. But that concern is also not addressed.
>>
>
> If we were to say that stewards would be allowed to assign the rights to
> any existing local admin (without extra discussion) on the conditions that:
> 1) they were an admin at the time of the group losing its rights and have
> not lost any local rights since
> 2) there have been no local bureaucrats active on the wiki since the change.
> I think this would be fine.

I agree with the proposal, but it seems rather orthogonal to the
transition period. There are all kinds of possible situations and
communities are rather responsive more than pro-active on these
subjects. As someone pointed out on the talk page, there is no real
reason to hurry the deployment so much. The fact that it was announced
in the tech news is a good first step, but it seems like a good idea
to now take the time to do thinks properly.

Strainu

> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Creation of separate user group for editing sitewide CSS/JS

Vi to
Small wikis are, from this specific security issue, full of risks. I think
this element should be taken into account.

Restricting css/js editing may be a patch for a short time, but our
infrastructure is pretty vulnerable, our users can be injected with
malicious js by editing thousands of pages on any among hundreds of wikis.

Vito

2018-07-10 20:51 GMT+02:00 Strainu <[hidden email]>:

> 2018-07-10 20:38 GMT+03:00 Alex Monk <[hidden email]>:
> > On 10 July 2018 at 12:06, Bodhisattwa Mandal <
> [hidden email]>
> > wrote:
> >
> >> 1) Not all communities have been informed about this future change (
> >> https://meta.wikimedia.org/wiki/Distribution_list/
> Technical_Village_Pumps_
> >> distribution_list
> >> )
> >
> > The plan appears to be to do this, maybe it just hasn't happened yet:
> > https://meta.wikimedia.org/wiki/Talk:Creation_of_
> separate_user_group_for_editing_sitewide_CSS/JS#Announcement_plan
> >
> > 2) The comments in the meta talk page suggests that there is no intention
> >> to get opinions from editor community members. Everything seems to be
> >> pre-decided by the developer community and we dont have other options
> but
> >> to accept the proposal without proper discussion.
> >> (
> >> https://meta.wikimedia.org/wiki/Talk:Creation_of_
> separate_user_group_for_
> >> editing_sitewide_CSS/JS
> >> )
> >>
> > It's a software security decision so editor community acceptance of this
> > change is optional, but there is an attempt to get the opinions of editor
> > community members (if there wasn't there wouldn't even be a page on meta
> > about this). These rights should never have been bundled with sysop
> rights,
> > they are incredibly dangerous and more on the level of bureaucrat/steward
> > than anything else in the sysop rights list.
> >
> > 3) Many admins from smaller wikis have expressed their concerns that this
> >> decision will severely affect the workflow of those wikis, but none of
> >> these concerns are addressed.
> >>
> > I don't see how. The current local group the rights are granted by is
> > bureaucrat-grantable, and the new local group the rights will be granted
> by
> > will be bureaucrat-grantable.
>
> The problem is that smaller wikis don't have bureaucrats either and
> there have been some very harsh proposals on that talk page with
> regards to how the user right should be provided by stewards. Having
> some kind of global policy (like the one you propose below) before
> deploying would probably ease a lot of the fears.
> >
> >
> >> 4) Many editors have expressed concern over just 2 week short notice
> period
> >> for this transition. But that concern is also not addressed.
> >>
> >
> > If we were to say that stewards would be allowed to assign the rights to
> > any existing local admin (without extra discussion) on the conditions
> that:
> > 1) they were an admin at the time of the group losing its rights and have
> > not lost any local rights since
> > 2) there have been no local bureaucrats active on the wiki since the
> change.
> > I think this would be fine.
>
> I agree with the proposal, but it seems rather orthogonal to the
> transition period. There are all kinds of possible situations and
> communities are rather responsive more than pro-active on these
> subjects. As someone pointed out on the talk page, there is no real
> reason to hurry the deployment so much. The fact that it was announced
> in the tech news is a good first step, but it seems like a good idea
> to now take the time to do thinks properly.
>
> Strainu
>
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> wiki/Wikimedia-l
> > New messages to: [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/
> wiki/Wikimedia-l
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] Creation of separate user group for editing sitewide CSS/JS

Gergő Tisza
In reply to this post by Alex Monk
On Tue, Jul 10, 2018 at 7:39 PM Alex Monk <[hidden email]> wrote:

> On 10 July 2018 at 12:06, Bodhisattwa Mandal <[hidden email]>
> wrote:
>
> > 1) Not all communities have been informed about this future change (
> >
> https://meta.wikimedia.org/wiki/Distribution_list/Technical_Village_Pumps_
> > distribution_list
> > )
>
> The plan appears to be to do this, maybe it just hasn't happened yet:
>
> https://meta.wikimedia.org/wiki/Talk:Creation_of_separate_user_group_for_editing_sitewide_CSS/JS#Announcement_plan


That did happen; I just wasn't aware that list does not go to all wikis.
There doesn't seem to be a distribution list that includes all wikis but
prefers technical discussion spaces over nontechnical ones so I have set up
https://meta.wikimedia.org/wiki/Distribution_list/Nonechnical_Village_Pumps_distribution_list
and sent out a notice to the wikis I missed in the first round.

On Tue, Jul 10, 2018 at 8:52 PM Strainu <[hidden email]> wrote:

> As someone pointed out on the talk page, there is no real
> reason to hurry the deployment so much.


Unfortunately there is, as attacks based on MediaWiki: namespace editing
privileges have been a regular occurrence in the last few months. The last
somewhat successful one was less than a week ago.
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/wiki/Wikimedia-l
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>