On Sun, Nov 1, 2015 at 7:08 PM, Toby Negrin <tnegrin@wikimedia.org> wrote:
Hi Everyone --

Our goals for Fiscal Year Q2 (Oct - Dec) are up on the wiki. Apologies for this taking so long.


Please let us know if you have any questions.

Well, my question about the "migrating traffic to OAuth" thing still stands :) I believe that was on a closed list, so let me rephrase.

OAuth is pretty much login for applications. There are basically three classes of applications wrt OAuth:
- those that use the write API (edit, upload etc) and can secure the OAuth "password" (the consumer secret), because they have some kind of server-side component. These should use OAuth (and, I would imagine, overwhelmingly do - these are going to be Labs tools mostly) so that our users don't need to give out their passwords.
- those that use the write API but cannot secure the "password" (mobile apps, desktop clients, bots). There is a security problem with these using OAuth.
- those that don't use the write API at all, just display pages / collect information. Using OAuth for these would essentially mean that we require users to log in just to read Wikipedia (through these applications).

Which of these classes are we looking at? For the first, I don't think any intervention is needed (are we even aware of any editing tool that does not use OAuth?), although more resources for making OAuth easier to use would be nevertheless a great thing :) For the second, there is the security issue (I recallĀ you wrote about that, although that was again on a closed list). For the third... I really hope we are not even considering that.