Small wikis are, from this specific security issue, full of risks. I think this element should be taken into account.
Restricting css/js editing may be a patch for a short time, but our infrastructure is pretty vulnerable, our users can be injected with malicious js by editing thousands of pages on any among hundreds of wikis.
Vito
2018-07-10 20:51 GMT+02:00 Strainu strainu10@gmail.com:
2018-07-10 20:38 GMT+03:00 Alex Monk krenair@gmail.com:
On 10 July 2018 at 12:06, Bodhisattwa Mandal <
bodhisattwa.rgkmc@gmail.com>
wrote:
- Not all communities have been informed about this future change (
Technical_Village_Pumps_
distribution_list )
The plan appears to be to do this, maybe it just hasn't happened yet: https://meta.wikimedia.org/wiki/Talk:Creation_of_
separate_user_group_for_editing_sitewide_CSS/JS#Announcement_plan
- The comments in the meta talk page suggests that there is no intention
to get opinions from editor community members. Everything seems to be pre-decided by the developer community and we dont have other options
but
to accept the proposal without proper discussion. ( https://meta.wikimedia.org/wiki/Talk:Creation_of_
separate_user_group_for_
editing_sitewide_CSS/JS )
It's a software security decision so editor community acceptance of this change is optional, but there is an attempt to get the opinions of editor community members (if there wasn't there wouldn't even be a page on meta about this). These rights should never have been bundled with sysop
rights,
they are incredibly dangerous and more on the level of bureaucrat/steward than anything else in the sysop rights list.
- Many admins from smaller wikis have expressed their concerns that this
decision will severely affect the workflow of those wikis, but none of these concerns are addressed.
I don't see how. The current local group the rights are granted by is bureaucrat-grantable, and the new local group the rights will be granted
by
will be bureaucrat-grantable.
The problem is that smaller wikis don't have bureaucrats either and there have been some very harsh proposals on that talk page with regards to how the user right should be provided by stewards. Having some kind of global policy (like the one you propose below) before deploying would probably ease a lot of the fears.
- Many editors have expressed concern over just 2 week short notice
period
for this transition. But that concern is also not addressed.
If we were to say that stewards would be allowed to assign the rights to any existing local admin (without extra discussion) on the conditions
that:
- they were an admin at the time of the group losing its rights and have
not lost any local rights since 2) there have been no local bureaucrats active on the wiki since the
change.
I think this would be fine.
I agree with the proposal, but it seems rather orthogonal to the transition period. There are all kinds of possible situations and communities are rather responsive more than pro-active on these subjects. As someone pointed out on the talk page, there is no real reason to hurry the deployment so much. The fact that it was announced in the tech news is a good first step, but it seems like a good idea to now take the time to do thinks properly.
Strainu
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/ wiki/Wikimedia-l
New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines and https://meta.wikimedia.org/ wiki/Wikimedia-l New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe