Hi all,
Me again, bear with me...
I emailed the list a while back about the IT Development pages, the issues with the Wiki etc. - I've seen today a number of edits (e.g. https://wikimedia.org.uk/wiki/Special:Diff/82820) which attempt to potentially explain the changes, but fall a bit short, as I initially suggested here (https://wikimedia.org.uk/wiki/Special:Diff/82828).
I've attempted to fix some of the bigger issues with the wiki ( https://wikimedia.org.uk/wiki/Engine_room#Recent_changes_to_MediaWiki_namesp...), but a lot boils down to the fact you're using a very old, insecure version of MediaWiki and PHP ( https://wikimedia.org.uk/wiki/Engine_room#Installed_versions_of_MediaWiki_an... ).
In regards to my comments about approaching the WMF to host the Wiki, I had this task pointed out to me (https://phabricator.wikimedia.org/T58938) which I found odd, especially some of the comments by your volunteers.
I do not understand why Wikimedia UK migrated from a free, secure, managed MediaWiki installation to a VPS which I assume is either donated or is costing the charity money, and which isn't kept up to date?
This doesn't strike me as an effective use of charity funds and volunteer time, and has unfortunately resulted in a MediaWiki install which is outdated and insecure (see CVE-2019-12468 https://nvd.nist.gov/vuln/detail/CVE-2019-12468 as just one example of an exploit against the currently installed version).
As the UK chapter of the Wikimedia Foundation, running this MediaWiki installation is likely to "negatively impact the work or image of the Foundation" if exploited. Could someone please help me in understanding the decisions which led to moving away from the WMF infrastructure? Was there a conflict of mission?
I appreciate I am "causing waves" here, and I *honestly don't want to be* - Wikimedia UK has been a charity I've supported for quite some time, you do great work and I thank you for your commitment to open access to knowledge! How can we work together to resolve this? I'm fairly available this week and would be more than happy to chat with someone about how we can fix this.
Kind regards,
*Sam*
Hi Sam
Thanks for your email. I'd be very happy to chat this week - although it would make sense to do so with one or two of my colleagues as well. Can we take this off list just to co-ordinate schedules? We can of course keep the mailing list up to date with our discussions.
Best wishes Lucy
On Mon, 1 Nov 2021 at 21:39, Sam (TheresNoTime) sam@theresnotime.co.uk wrote:
Hi all,
Me again, bear with me...
I emailed the list a while back about the IT Development pages, the issues with the Wiki etc. - I've seen today a number of edits (e.g. https://wikimedia.org.uk/wiki/Special:Diff/82820) which attempt to potentially explain the changes, but fall a bit short, as I initially suggested here (https://wikimedia.org.uk/wiki/Special:Diff/82828).
I've attempted to fix some of the bigger issues with the wiki ( https://wikimedia.org.uk/wiki/Engine_room#Recent_changes_to_MediaWiki_namesp...), but a lot boils down to the fact you're using a very old, insecure version of MediaWiki and PHP ( https://wikimedia.org.uk/wiki/Engine_room#Installed_versions_of_MediaWiki_an... ).
In regards to my comments about approaching the WMF to host the Wiki, I had this task pointed out to me (https://phabricator.wikimedia.org/T58938) which I found odd, especially some of the comments by your volunteers.
I do not understand why Wikimedia UK migrated from a free, secure, managed MediaWiki installation to a VPS which I assume is either donated or is costing the charity money, and which isn't kept up to date?
This doesn't strike me as an effective use of charity funds and volunteer time, and has unfortunately resulted in a MediaWiki install which is outdated and insecure (see CVE-2019-12468 https://nvd.nist.gov/vuln/detail/CVE-2019-12468 as just one example of an exploit against the currently installed version).
As the UK chapter of the Wikimedia Foundation, running this MediaWiki installation is likely to "negatively impact the work or image of the Foundation" if exploited. Could someone please help me in understanding the decisions which led to moving away from the WMF infrastructure? Was there a conflict of mission?
I appreciate I am "causing waves" here, and I *honestly don't want to be*
- Wikimedia UK has been a charity I've supported for quite some time, you
do great work and I thank you for your commitment to open access to knowledge! How can we work together to resolve this? I'm fairly available this week and would be more than happy to chat with someone about how we can fix this.
Kind regards,
*Sam* _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Just as a quick PS, I feel I should mention that the decisions you refer to took place several years before I joined the organisation (as per the phabricator thread) and so I will probably need to try to piece together why certain things happened with imperfect knowledge...but I will certainly do my best!
On Mon, 1 Nov 2021 at 21:39, Sam (TheresNoTime) sam@theresnotime.co.uk wrote:
Hi all,
Me again, bear with me...
I emailed the list a while back about the IT Development pages, the issues with the Wiki etc. - I've seen today a number of edits (e.g. https://wikimedia.org.uk/wiki/Special:Diff/82820) which attempt to potentially explain the changes, but fall a bit short, as I initially suggested here (https://wikimedia.org.uk/wiki/Special:Diff/82828).
I've attempted to fix some of the bigger issues with the wiki ( https://wikimedia.org.uk/wiki/Engine_room#Recent_changes_to_MediaWiki_namesp...), but a lot boils down to the fact you're using a very old, insecure version of MediaWiki and PHP ( https://wikimedia.org.uk/wiki/Engine_room#Installed_versions_of_MediaWiki_an... ).
In regards to my comments about approaching the WMF to host the Wiki, I had this task pointed out to me (https://phabricator.wikimedia.org/T58938) which I found odd, especially some of the comments by your volunteers.
I do not understand why Wikimedia UK migrated from a free, secure, managed MediaWiki installation to a VPS which I assume is either donated or is costing the charity money, and which isn't kept up to date?
This doesn't strike me as an effective use of charity funds and volunteer time, and has unfortunately resulted in a MediaWiki install which is outdated and insecure (see CVE-2019-12468 https://nvd.nist.gov/vuln/detail/CVE-2019-12468 as just one example of an exploit against the currently installed version).
As the UK chapter of the Wikimedia Foundation, running this MediaWiki installation is likely to "negatively impact the work or image of the Foundation" if exploited. Could someone please help me in understanding the decisions which led to moving away from the WMF infrastructure? Was there a conflict of mission?
I appreciate I am "causing waves" here, and I *honestly don't want to be*
- Wikimedia UK has been a charity I've supported for quite some time, you
do great work and I thank you for your commitment to open access to knowledge! How can we work together to resolve this? I'm fairly available this week and would be more than happy to chat with someone about how we can fix this.
Kind regards,
*Sam* _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
No worries Lucy, I imagined that would be the case :) As I said, I *really* don't want to be causing problems and I hope my email reflects that..
Thank you for your attention to this, and please do reach out off-list
Kind regards,
*Sam*
User:TheresNoTime https://en.wikipedia.org/wiki/User:TheresNoTime
*English Wikipedia: CU/OS*
On Mon, 1 Nov 2021 at 22:30, Lucy Crompton-Reid < lucy.crompton-reid@wikimedia.org.uk> wrote:
Just as a quick PS, I feel I should mention that the decisions you refer to took place several years before I joined the organisation (as per the phabricator thread) and so I will probably need to try to piece together why certain things happened with imperfect knowledge...but I will certainly do my best!
On Mon, 1 Nov 2021 at 21:39, Sam (TheresNoTime) sam@theresnotime.co.uk wrote:
Hi all,
Me again, bear with me...
I emailed the list a while back about the IT Development pages, the issues with the Wiki etc. - I've seen today a number of edits (e.g. https://wikimedia.org.uk/wiki/Special:Diff/82820) which attempt to potentially explain the changes, but fall a bit short, as I initially suggested here (https://wikimedia.org.uk/wiki/Special:Diff/82828).
I've attempted to fix some of the bigger issues with the wiki ( https://wikimedia.org.uk/wiki/Engine_room#Recent_changes_to_MediaWiki_namesp...), but a lot boils down to the fact you're using a very old, insecure version of MediaWiki and PHP ( https://wikimedia.org.uk/wiki/Engine_room#Installed_versions_of_MediaWiki_an... ).
In regards to my comments about approaching the WMF to host the Wiki, I had this task pointed out to me (https://phabricator.wikimedia.org/T58938) which I found odd, especially some of the comments by your volunteers.
I do not understand why Wikimedia UK migrated from a free, secure, managed MediaWiki installation to a VPS which I assume is either donated or is costing the charity money, and which isn't kept up to date?
This doesn't strike me as an effective use of charity funds and volunteer time, and has unfortunately resulted in a MediaWiki install which is outdated and insecure (see CVE-2019-12468 https://nvd.nist.gov/vuln/detail/CVE-2019-12468 as just one example of an exploit against the currently installed version).
As the UK chapter of the Wikimedia Foundation, running this MediaWiki installation is likely to "negatively impact the work or image of the Foundation" if exploited. Could someone please help me in understanding the decisions which led to moving away from the WMF infrastructure? Was there a conflict of mission?
I appreciate I am "causing waves" here, and I *honestly don't want to be*
- Wikimedia UK has been a charity I've supported for quite some time, you
do great work and I thank you for your commitment to open access to knowledge! How can we work together to resolve this? I'm fairly available this week and would be more than happy to chat with someone about how we can fix this.
Kind regards,
*Sam* _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
--
Lucy Crompton-Reid
Chief Executive
https://donate.wikimedia.org.uk/
Wikimedia UK https://beta.wikimedia.org.uk/ is the national chapter for the global Wikimedia open knowledge movement.
Wikimedia UK is a Registered Charity No.1144513.Company Limited by Guarantee registered in England and Wales, Registered No. 6741827.
Registered Office Ground Floor, Europoint, 5 - 11 Lavington Street, London SE1 0NZ https://maps.google.com/?q=5+-+11+Lavington+Street,+London+SE1+0NZ&entry=gmail&source=g .
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Hi Sam,
I think it's worth you bearing in mind that WMUK is a separate legal entity from WMF, and as a charity registered in the UK, is subject to all of the UK regulations concerning data protection.
The contents of the WMUK wikis have, since at least 2013, contained some sensitive information that is not publicly accessible, such as the minutes of in camera sessions of Board meetings on the Board wiki, as well as potentially business-sensitive content on the staff wiki.
It was felt imperative in the past that the control of WMUK wikis must rest in the hands of the Board or delegated staff members.That would have to be the position in order to protect the organisation from any possible breaches of data protection if control did not ultimately lie with the Board. No setup that depended on the WMF servers could possibly satisfy that requirement and that was one of the principal reasons for WMUK using its own servers under its own control and with its own developers.
I appreciate your concern for WMUK, but I'm afraid that IMHO, it is misplaced as far as breaches of data security are concerned. The solution to using end-of-life versions of software is going to be to update them to newer versions, not to move the entire system elsewhere under the ultimate control of a foreign organisation.
Cheers
Hi all,
Following from what Doug and Charles have said: this was indeed part of the change to a dedicated tech system, from things running on my personal VPS and on the WMF servers. In case it's not clear: there are multiple wikis that WMUK hosts, not just the public one.
This was important for WMUK to be clearly separated from WMF, and it was also in a background of WMUK trying to improve its technical capacity - although this didn't quite go as I'd have liked to have see (would be really nice if WMUK did a WMDE and hosted the technical development of a Wikimedia project!).
It isn't too convenient, though - as well as the maintenance burden, you have to have separate logins, and you aren't connected with Wikidata (would have loved to connect Commons+WMUK wiki via Wikidata several times recently, but not possible!).
It's definitely worth having a fresh thinking through of how this works with WMUK's current situation and technical capacity!
Thanks, Mike
On 2/11/21 02:05:16, Rex X wrote:
Hi Sam,
I think it's worth you bearing in mind that WMUK is a separate legal entity from WMF, and as a charity registered in the UK, is subject to all of the UK regulations concerning data protection.
The contents of the WMUK wikis have, since at least 2013, contained some sensitive information that is not publicly accessible, such as the minutes of /in camera/ sessions of Board meetings on the Board wiki, as well as potentially business-sensitive content on the staff wiki.
It was felt imperative in the past that the control of WMUK wikis must rest in the hands of the Board or delegated staff members.That would have to be the position in order to protect the organisation from any possible breaches of data protection if control did not ultimately lie with the Board. No setup that depended on the WMF servers could possibly satisfy that requirement and that was one of the principal reasons for WMUK using its own servers under its own control and with its own developers.
I appreciate your concern for WMUK, but I'm afraid that IMHO, it is misplaced as far as breaches of data security are concerned. The solution to using end-of-life versions of software is going to be to update them to newer versions, not to move the entire system elsewhere under the ultimate control of a foreign organisation.
Cheers
--
Doug
On 01 November 2021 at 22:38 "Sam (TheresNoTime)" sam@theresnotime.co.uk wrote:
No worries Lucy, I imagined that would be the case :) As I said, I /really/ don't want to be causing problems and I hope my email reflects that..
Thank you for your attention to this, and please do reach out off-list
Kind regards,
*Sam*
User:TheresNoTime https://en.wikipedia.org/wiki/User:TheresNoTime/ /
/English Wikipedia: CU/OS/
On Mon, 1 Nov 2021 at 22:30, Lucy Crompton-Reid < lucy.crompton-reid@wikimedia.org.uk mailto:lucy.crompton-reid@wikimedia.org.uk> wrote:
Just as a quick PS, I feel I should mention that the decisions you refer to took place several years before I joined the organisation (as per the phabricator thread) and so I will probably need to try to piece together why certain things happened with imperfect knowledge...but I will certainly do my best! On Mon, 1 Nov 2021 at 21:39, Sam (TheresNoTime) < sam@theresnotime.co.uk <mailto:sam@theresnotime.co.uk>> wrote: Hi all, Me again, bear with me... I emailed the list a while back about the IT Development pages, the issues with the Wiki etc. - I've seen today a number of edits (e.g. https://wikimedia.org.uk/wiki/Special:Diff/82820 <https://wikimedia.org.uk/wiki/Special:Diff/82820>) which attempt to potentially explain the changes, but fall a bit short, as I initially suggested here ( https://wikimedia.org.uk/wiki/Special:Diff/82828 <https://wikimedia.org.uk/wiki/Special:Diff/82828>). I've attempted to fix some of the bigger issues with the wiki ( https://wikimedia.org.uk/wiki/Engine_room#Recent_changes_to_MediaWiki_namespace_files <https://wikimedia.org.uk/wiki/Engine_room#Recent_changes_to_MediaWiki_namespace_files>), but a lot boils down to the fact you're using a very old, insecure version of MediaWiki and PHP ( https://wikimedia.org.uk/wiki/Engine_room#Installed_versions_of_MediaWiki_and_PHP_are_end-of-life <https://wikimedia.org.uk/wiki/Engine_room#Installed_versions_of_MediaWiki_and_PHP_are_end-of-life>). In regards to my comments about approaching the WMF to host the Wiki, I had this task pointed out to me ( https://phabricator.wikimedia.org/T58938 <https://phabricator.wikimedia.org/T58938>) which I found odd, especially some of the comments by your volunteers . I do not understand why Wikimedia UK migrated from a free, secure, managed MediaWiki installation to a VPS which I assume is either donated or is costing the charity money, and which isn't kept up to date? This doesn't strike me as an effective use of charity funds and volunteer time, and has unfortunately resulted in a MediaWiki install which is outdated and insecure (see CVE-2019-12468 <https://nvd.nist.gov/vuln/detail/CVE-2019-12468> as just one example of an exploit against the currently installed version). As the UK chapter of the Wikimedia Foundation, running this MediaWiki installation is likely to "negatively impact the work or image of the Foundation" if exploited. Could someone please help me in understanding the decisions which led to moving away from the WMF infrastructure? Was there a conflict of mission? I appreciate I am "causing waves" here, and I _honestly don't want to be_ - Wikimedia UK has been a charity I've supported for quite some time, you do great work and I thank you for your commitment to open access to knowledge! How can we work together to resolve this? I'm fairly available this week and would be more than happy to chat with someone about how we can fix this. Kind regards, *Sam* _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk <https://wikimedia.org.uk> -- Lucy Crompton-Reid Chief Executive <https://donate.wikimedia.org.uk/> Wikimedia UK <https://beta.wikimedia.org.uk/>is the national chapter for the global Wikimedia open knowledge movement. Wikimedia UK is a Registered Charity No.1144513.Company Limited by Guarantee registered in England and Wales, Registered No. 6741827. Registered Office Ground Floor, Europoint, 5 - 11 Lavington Street, London SE1 0NZ <https://maps.google.com/?q=5+-+11+Lavington+Street,+London+SE1+0NZ&entry=gmail&source=g>. _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org <mailto:wikimediauk-l@wikimedia.org> https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l <https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l> WMUK: https://wikimedia.org.uk <https://wikimedia.org.uk>
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
On Tue, 2 Nov 2021 at 09:38, Mike Peel email@mikepeel.net wrote:
(would be really nice if WMUK did a WMDE and hosted the technical development of a Wikimedia project!).
Isn't that QRpedia?
Has anything (technical or otherwise) been done with that, lately? Is anything planned?
On 2/11/21 12:51:24, Andy Mabbett wrote:
On Tue, 2 Nov 2021 at 09:38, Mike Peel email@mikepeel.net wrote:
(would be really nice if WMUK did a WMDE and hosted the technical development of a Wikimedia project!).
Isn't that QRpedia?
Has anything (technical or otherwise) been done with that, lately? Is anything planned?
I was thinking more on the lines of something like Wikisource. ;-) But this is a good question!
Thanks, Mike
Many thanks all for your comments and insights - I appreciate this is a question where the answer is not a simple one.
As to DPA/UK GDPR, fair points and not something I had considered.
I agree that upgrading to current versions of PHP/MediaWiki should be the immediate focus (board.wikimedia.org.uk *also* runs 1.31.0)
To your comments Mike irt "fresh thinking", perhaps WMUK would consider a hybrid approach? Maintaining your own private wiki(s) but having the public one hosted by WMF, which would give you the benefits of being SUL joined etc.
Kind regards,
*Sam*
User:TheresNoTime https://en.wikipedia.org/wiki/User:TheresNoTime
*English Wikipedia: CU/OS*
On Tue, 2 Nov 2021 at 12:54, Mike Peel email@mikepeel.net wrote:
On 2/11/21 12:51:24, Andy Mabbett wrote:
On Tue, 2 Nov 2021 at 09:38, Mike Peel email@mikepeel.net wrote:
(would be really nice if WMUK did a WMDE and hosted the technical development of a Wikimedia project!).
Isn't that QRpedia?
Has anything (technical or otherwise) been done with that, lately? Is anything planned?
I was thinking more on the lines of something like Wikisource. ;-) But this is a good question!
Thanks, Mike _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: https://wikimedia.org.uk
On 01 November 2021 at 22:29 Lucy Crompton-Reid lucy.crompton-reid@wikimedia.org.uk wrote:
Just as a quick PS, I feel I should mention that the decisions you refer to took place several years before I joined the organisation (as per the phabricator thread) and so I will probably need to try to piece together why certain things happened with imperfect knowledge...but I will certainly do my best!
Yes, we are talking about events in 2013. Which I lived through, in a sense, though the chapter's website was not my concern at the time. There is a Board minutes category on the site. A place to start is
https://wikimedia.org.uk/wiki/Minutes_2012-07-26
in which the chapter hiring a developer is discussed. Such things that are documented will be in the "Approved Board minutes" category there; and possibly in the tech committee records, though those would not have been made public until 2013 for security reasons.
The overall context was migration of WMUK's work from a server run by Mike Peel to other hosting.
Now, what I remember about the decision in question, on the chapter website's hosting, was an issue about the needs of fundraising. Possibly that interacted with the needs of charity status, where the WMUK/WMF relationship was a touchy subject.
You'd need to someone closer to the Board at that time to comment further.
Charles
On 02 November 2021 at 08:31 Charles Matthews charles.r.matthews@ntlworld.com wrote:
You'd need to someone closer to the Board at that time to comment further.
I see that Doug Taylor had already commented, in a way that complements my contribution. (Not for the first time, a wikimedia email address landed something in my spam box.)
Charles
wikimediauk-l@lists.wikimedia.org