Hi all.
After a short talk with River and DaB, I have added a new rule to http://meta.wikimedia.org/wiki/Toolserver/Rules:
If you operate a bot from zedler, it must comply to the rules of each wiki it accesses. It must not edit anonymously - it may get blocked, and all other scripts on the toolserver along with it.
A few days before, DaB had added another one:
It is not allowed to ask a user for his/her password of one of the wikimedia-projects.
A system for user authentication using wiki accounts is under development.
As a reminder: DO read the rules page I linked to above. If you already have, do it again. Thank you.
-- Daniel
On 20/08/06, Daniel Kinzler daniel@brightbyte.de wrote:
As a reminder: DO read the rules page I linked to above. If you already have, do it again. Thank you.
A plaque.
We should invest in a plaque. With all the rules on, in English, German and an obscure middle-Eastern language (for PR purposes).
We're all, I think, sane enough users here, at varying levels of IT competence (but with, I hope, at least a basic competence in using an SSH client, and presumably SQL of some variety and at least one programming or major scripting language) - and I'd like to think I'm addressing a bunch of decent people. As the rules explain; Zedler is a shared system...more than one person uses it, and it's not a sodding supercomputer. We've all got to appreciate each other's space, and appreciate that we can't waste 40% of the CPU* for 12 hours** and not expect someone to get pissed off.
Security is everyone's responsibility, to some greater or lesser extent; after all, if Zedler goes down, then we've had it as far as tools go.
I'm a little concerned that a lot of new users are *not* in what I'd call "the original clique" - that is, the original, smaller group of users who everybody knew from somewhere and could vouch for the sanity of. That isn't, of course, to say that every new user account added means a total newbie has joined us, but it does mean we need to be more thoughtful and more alert with respect to possible issues.
Zedler's got issues; replication is, admittedly, extremely shite, for the most part, especially for the English Wikipedia database, and I totally concede that if this thing's going to be at all useful in the future, then we need to fix that. Best help is for us to be able to concentrate on cutting through the paperwork (ok, for DaB to be able to concentrate...) and avoid us having to jump into every minor issue that arises. :)
Rob Church
On 21/08/06, Rob Church robchur@gmail.com wrote:
A plaque.
We should invest in a plaque. With all the rules on, in English, German and an obscure middle-Eastern language (for PR purposes).
We're all, I think, sane enough users here, at varying levels of IT competence (but with, I hope, at least a basic competence in using an SSH client, and presumably SQL of some variety and at least one programming or major scripting language) - and I'd like to think I'm addressing a bunch of decent people. As the rules explain; Zedler is a shared system...more than one person uses it, and it's not a sodding supercomputer. We've all got to appreciate each other's space, and appreciate that we can't waste 40% of the CPU* for 12 hours** and not expect someone to get pissed off.
Security is everyone's responsibility, to some greater or lesser extent; after all, if Zedler goes down, then we've had it as far as tools go.
I'm a little concerned that a lot of new users are *not* in what I'd call "the original clique" - that is, the original, smaller group of users who everybody knew from somewhere and could vouch for the sanity of. That isn't, of course, to say that every new user account added means a total newbie has joined us, but it does mean we need to be more thoughtful and more alert with respect to possible issues.
Zedler's got issues; replication is, admittedly, extremely shite, for the most part, especially for the English Wikipedia database, and I totally concede that if this thing's going to be at all useful in the future, then we need to fix that. Best help is for us to be able to concentrate on cutting through the paperwork (ok, for DaB to be able to concentrate...) and avoid us having to jump into every minor issue that arises. :)
The missing footnotes:
* Yes, I know...I KNOW ** Well, nobody emailed me!
Rob Church
2006/8/21, Daniel Kinzler daniel@brightbyte.de:
Hi all.
After a short talk with River and DaB, I have added a new rule to http://meta.wikimedia.org/wiki/Toolserver/Rules:
If you operate a bot from zedler, it must comply to the rules of each wiki it accesses. It must not edit anonymously - it may get blocked, and all other scripts on the toolserver along with it.
A few days before, DaB had added another one:
It is not allowed to ask a user for his/her password of one of the wikimedia-projects.
A system for user authentication using wiki accounts is under development.
I think that this rule should be canceled until we have this system. Due to recent problems with one of my scripts I was going to create interface to allow some trusted users (or any user with more than 1000 edits except some blacklisted) to _stop_ any of my bots without blocking bot's account. Of course, such a tool should check which user is making this request; now the only way to do that is to ask password on Wikipedia.
On 21/08/06, Edward Chernenko edwardspec@gmail.com wrote:
I think that this rule should be canceled until we have this system. Due to recent problems with one of my scripts I was going to create interface to allow some trusted users (or any user with more than 1000 edits except some blacklisted) to _stop_ any of my bots without blocking bot's account. Of course, such a tool should check which user is making this request; now the only way to do that is to ask password on Wikipedia.
How do you intend to verify that the user is entering the correct password? You don't have access to the full user table, and certainly not the password hashes.
Rob Church
2006/8/21, Rob Church robchur@gmail.com:
How do you intend to verify that the user is entering the correct password? You don't have access to the full user table, and certainly not the password hashes.
This can be verified through normal login form (using some bot software like my MediaWiki perl module).
I think that this rule should be canceled until we have this system. Due to recent problems with one of my scripts I was going to create interface to allow some trusted users (or any user with more than 1000 edits except some blacklisted) to _stop_ any of my bots without blocking bot's account. Of course, such a tool should check which user is making this request; now the only way to do that is to ask password on Wikipedia.
you can easily verify a users identity by requesting them to make an edit with a predefined edit summary to their user page. Interiot is currently using that for the opt in of the edit counter.
I firmly believe that it's a bad idea to ask users for their password - it's convenient, sure, but it's an invitation to abuse. There should and will be a single, simple and reviewable way to authenticate. Please be patient.
-- Daniel
Hello, Am Montag, den 21.08.2006, 22:28 +0400 schrieb Edward Chernenko:
2006/8/21, Daniel Kinzler daniel@brightbyte.de:
A few days before, DaB had added another one:
It is not allowed to ask a user for his/her password of one of the wikimedia-projects.
A system for user authentication using wiki accounts is under development.
I think that this rule should be canceled until we have this system.
no, the rule is fine, because the possibility of collecting passwords is too dangerous.
Due to recent problems with one of my scripts I was going to create interface to allow some trusted users (or any user with more than 1000 edits except some blacklisted) to _stop_ any of my bots without blocking bot's account. Of course, such a tool should check which user is making this request; now the only way to do that is to ask password on Wikipedia.
You should just write a bot, which is not broken (and test it not from zedler). BTW: AT least dewp forbits bots, which are not controlled by a human (I can imagine, that other wikis do this the same way). So you must sit on your PC and can stop your bot yourself, if there is a problem.
Sincerly, DaB.
Due to recent problems with one of my scripts I was going to create interface to allow some trusted users (or any user with more than 1000 edits except some blacklisted) to _stop_ any of my bots without blocking bot's account. Of course, such a tool should check which user is making this request; now the only way to do that is to ask password on Wikipedia.
You could allow stopping from irc to any with a wikipedia/ or wikimedia/ mask. I'm sure a wikipedian with mask can be easily found on irc. However this restrict by irc "affiction". Some other bots use posting on their talk page to be stopped (on detecting the "You have new messages"). But this would allow to stop it to anybody...
2006/8/22, Platonides platonides@gmail.com:
Some other bots use posting on their talk page to be stopped (on detecting the "You have new messages"). But this would allow to stop it to anybody...
Of course, I can check history when this message is detected, but the problem is with interwiki bots: it's impossible to stop such a bot until it returns to wiki where it received a message.
2006/8/21, Daniel Kinzler daniel@brightbyte.de:
you can easily verify a users identity by requesting them to make an edit with a predefined edit summary to their user page. Interiot is currently using that for the opt in of the edit counter.
That's good solution. Someone should: 1. make a dummy edit on special page (like 'User:Edwardspec_TalkBot/Stop') with script name as edit summary. 2. make request to CGI script which should check whether this user is trusted and stop running bot.
Of course, all bots should include 'script_name' into summary of all edits.
toolserver-l@lists.wikimedia.org