Hey Shani,

While I'm loathe to make any explicit "guarantee" that it wouldn't be removed (obviously, in the end, the site safety is most important if it was doing something that was completely damaging then I wouldn't hesitate to remove it) I do not foresee doing that. I also AM willing to guarantee that we would do whatever we can to prevent the running courses from being aversely affected if it came to that and would bend over backwards to try and find some stop gap measure to allow things to finish out.

That said as a bit more background to what Floor was saying earlier: We have indeed been having issues with security problems in the extension. These aren't all brand new but they've escalated and more and more of them have been found which could make the extension a significant attack vector for people who want to hurt the sites. We also are fairly worried because we've found enough issues it's likely there are other things hiding that we haven't found yet.

While at some level my "perfect" world would be uninstalling it (in the end I'm a cautious person and in our current engineering process it would not have been approved for deployment) we don't want to hurt everyone whose using it and so have been looking for a temporary measure to lessen the risk. We think we've found that and it's in testing now, I hope to have it out this week and then I think Chris (Steipp, of the Engineering Security team) and I will be ok with it rolling out on the new wikis like that as well for now. We'll then be able to take a step back and think of options to try and ensure that everything is safe and secure while also ensuring that you have what you need to do your courses.

James Alexander

Manager

Trust & Safety

Wikimedia Foundation

(415) 839-6885 x6716 @jamesofur

On Mon, Sep 28, 2015 at 3:25 PM, Shani <shani.even@gmail.com> wrote:

Hi, Filip & Floor.

These are very disturbing news. Filip, I can only sympathize..

Floor, / James, can we get any assurances that the

Education Extension will not be removed in the middle of the semester? My academic courses at Tel Aviv University, and I'm sure others' who are using the extension, are completely depended on it (not to mention all the smaller workshops throughout the year).
Not having the extension will completely change the way these courses are run, and if it's done after the semester begins in mid October,it can be quite catastrophic.

Is there any other info you can give us about this? I'd rather know in advance if there's a chance it suddenly stops working so I can look for other solutions before my courses begin.

Please advise. Thanks much,

Shani.

On Tue, Sep 29, 2015 at 1:09 AM, Floor Koudijs <fkoudijs@wikimedia.org> wrote:
Dear Filip,

I am so very sorry to hear about these frustrations with the deployment of the

Education Extension. The problem is that there have been recent security issues with the extension. Engineering and our Trust & Safety department are working on some stop gaps to allow the extension to remain in place (and likely be deployed) while we determine what to do with the recent security issues.

Please rest assured that we are working hard both on keeping the Education Extension going, and on thinking about a better tool to replace it for the future.

Feel free to follow up if you have any further questions. I've cc-ed James Alexander here.

Best,

Floor Koudijs
Senior Manager, Wikipedia Education Program
Wikimedia Foundation
+1.415.839.6885 x6806 (landline)
+1.415.692.5289 (cell phone)
fkoudijs@wikimedia.org
education.wikimedia.org

On Mon, Sep 28, 2015 at 11:14 AM, Filip Maljkovic <dungodung@gmail.com> wrote:
Hello everyone,

Recently, a security issue has been found with Education extension. As a result, new requests for installing the extension on Wikimedia wikis are being "stalled", i.e. blocked for an indeterminate period. Can someone from the Foundation comment on this? I don't see why we shouldn't install the extension to more wikis, if the current installations are still working as-is (i.e. they're not being uninstalled because of the security issue, as far as I know).

While it might be a long shot, is it possible to influence this decision somehow?

I feel thoroughly disappointed, having held community discussion and vote, and then waiting for a month (!) for no apparent reason, just to be outright told that it's unlikely to happen anytime soon. [1]

[1] https://phabricator.wikimedia.org/T110619

Cheers,
Filip Maljković
Wikimedia Serbia

_______________________________________________
Education mailing list
Education@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/education

_______________________________________________
Education mailing list
Education@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/education