Like James, I'd be fine with having the allowlist on wiki.

I don't think it's a good idea to remove the allowlist though. If you remove it, the upload-by-url feature might become a vector for an amplification DoS attack. As of today, upload_by_url can be used by any and all Commons users. With no allowlist, it'd be much easier to instruct our servers to request an excessive amount of data from a target server of your choice. This will (likely? didn't check) be restricted by our own rate limits on uploading, but the upload rate limits are virtually nonexistent for autopatrollers and above (which is a role reasonably easy to get; much easier than +sysop, for example). I'm not sure if this kind of abuse is likely to happen.

However, I recall it given as an explanation when I wondered why the allowlist exists a few years ago. What do you think Taavi?

Martin Urbanec

pá 28. 1. 2022 v 16:12 odesílatel James Forrester <jforrester@wikimedia.org> napsal:
On Fri, 28 Jan 2022 at 06:42, Taavi Väänänen <hi@taavi.wtf> wrote:
Hi sitereq-l,

I'm looking for context regarding our upload-by-url allowlist in the
hopes of reducing workload for the site request process. Does anyone know

* Why do we even have an allowlist for upload-by-url? I presume this is
to make it harder to upload a large amount of non-free files, but I'm
curious if there are any other reasons that I'm not aware of.

* If there aren't other reasons for having the allowlist, are there any
reasons other than "someone needs to work on it" that would not let us
to move the allowlist to a system message that Commons administrators
can edit?

Yeah, I filed T140040 a few years ago to scrap the allowlist and just trust +sysop users (and let the community de-sysop them if they misuse or abuse it). Any change of this kind would need to be discussed in advance with the Commons community of course.

Switching the allowlist to an on-wiki page seems fine from my POV, though it might be worth exploring just setting it to * first before doing the extra work of migrating it?

J.
--
James D. Forrester (he/him or they/themself)
_______________________________________________
Sitereq-l mailing list -- sitereq-l@lists.wikimedia.org
List information: https://lists.wikimedia.org/postorius/lists/sitereq-l.lists.wikimedia.org/