Hello, Am Sonntag, den 27.08.2006, 04:07 +0200 schrieb Purodha B Blissenbach:
If there is the rule not to ask for user account data, of course I'm going to follow that, even if i might mean that one of my planned tools canot be hosted on toolserver.
This is my current state of thought:
(1) [Historic facts. Skip if in hurry] When we made the transit from the Ripuarian Test Wikipdia on http://dergruenepunk.de/ to the wWikimedia Server cluster, we had to transfer user accounts, including credits for edits. I created a little tool, that asked for user name and password on BOTH servers, tried to simultanously login on both of them, and, if sucessfull, noted only the two user names on each server as being owned by the same person.
I hated the idea of having to ask for passwords. I had the tool on https capable server though, so they were fairly save, and of course never stored anywhere but in memory or http requests.
I have no idea, how the identity of the users could have been established otherwise - assuming that hashed and seeded passwords could not be copied from one server to another, leaving alone the fact, that none of the admins had the necessary access privileges to do that.
I think, we can a exception for this, when this tool has a planed timespace of running and you pledge to not save these passwords in any form.
(2) I am planning a tool to 'bulk' insert redirects for spelling variants, such as /colou?r/ i.e. /(color|colour)/ or slightly more complicated ones. ;-) There are way more than 100 dialects in the Ripuarian Wikipedia, and currently the only way to handle their variations is by sets of redirects.
I was planning to grant registered users access to the tool, and have the tool insert redirects in their names, so as to establish proper credit for the work, and possibly trace troll activity, respecively allow admins and experienced users to individually support users making mistakes.
Also here, I do not like the idea of asking for passwords and having to pass them on, but cannot imagine how else the (imho valid) goal could be reached otherwise.
I have no problem to use another host for that tool, should that be an acceptable option, but hat is not my intention in the first place, of course.
Not attributing generated redirects to the proper user is imho a bad idea. Tell me why I'm wrong ;-) Allowing only admins, etc. it too big a burdon, and does not remove the need to authenticate.
mm, I don't think it's a good idea to run a bot in a user-context, because it is harder to block, when it's out of controll. The secound point is, that it fake the edit-count of a user.
So if you realy like to run this tool, please use another server.
Greetings.
Purodha
Sincerly, DaB.