Wikitech-l June 2008

wikitech-l@lists.wikimedia.org

86 participants
93 discussions

Bug 14443
by Max Semenik 09 Jun '08

09 Jun '08

(https://bugzilla.wikimedia.org/show_bug.cgi?id=14443) I tried to ask on #wikimedia-tech, but received no reply. Can someone look up server logs for indication what's failing? Thanks. -- Max Semenik ([[User:MaxSem]])

1 0

loading of extensions in 1.12 slow?
by Travis (wikiHow) 09 Jun '08

09 Jun '08

Hi, We're in the process of upgrading from 1.9 to 1.12 (I know I know I know...), and it seems that the including of extensions is taking a long time. Profile from 1.9: 26.449 WebStart.php-conf 24.659 Setup.php 1.362 Setup.php-includes 2.117 Setup.php-misc1 1.020 Setup.php-memcached 0.570 Setup.php-SetupSession 0.117 Setup.php-globals 0.052 Setup.php-User 0.017 Setup.php-misc2 18.543 Setup.php-extensions Seems fast, but 1.12: 594.761 WebStart.php-conf 0.012 WebStart.php-ob_start 207.409 Setup.php 50.838 Setup.php-includes 8.691 Setup.php-misc1 6.780 __autoload 9.632 Setup.php-memcached 0.685 __autoload 0.564 Setup.php-SetupSession 0.197 Setup.php-globals 0.046 Setup.php-User 0.023 Setup.php-misc2 128.051 Setup.php-extensions This is pretty slow. It seems like for WebStart, having multiple inclusions like this: require_once('extensions/wikihow/SpecialThankAuthors.php'); slows things down. Has something changed, or did we miss flipping a switch in the upgrade? What about Setup.php, does that have the same issue? Thanks, Travis

4 9

TorBlock extension enabled
by FT2 08 Jun '08

08 Jun '08

Comments on several of today's posts: "Every wiki is different" isn't a superficial thing. Major structures such as sysop, arbcom, checkuser usage, and probably vandalism and abuse profiles and so on, vary greatly between the WMF wikis. What's being discussed here is an extension that affects those, and where checkusers on one wiki are making representations that the extension's default setting, as mooted by some, badly match the experienced needs and abuse profile of that wiki, which would be better dealt with by hard blocking. That shouldn't be a major contention. Checkusers are the ones who are aware of these things, and the contention's not made that all wikis should do this, just that the one wiki whose community of checkusers is strongly representing that a hard block system is more needed and a soft block approach a serious problem, should be listened to. The same users also point out that they also have a tool in active use to allow bypassing for those with genuine need, a process to make that reasonably available, and that "not an experiment" applies here. This is the reply to GerardM and Platonides - the tool may be WMF wide but each project may (like many tools) have it individually configured. Nobody here is saying "wikinews (or other projects) shouldn't do what they need". They're just saying "don't force Wikinews' ideal solution on all wikis", including those whose checkusers pretty much all see the problems and all object. Likewise the comment, "even our public figures, people living in the "free world" are harassed, stalked, threatened...Rape, murder, the use of sulphuric acid they are the kind of threats that are issued" ... in fact, most en wiki checkusers are on its Arbitration Committee mailing list, and see exactly the threats that go on. So they don't need to be advised what can happen, or how to evaluate it; almost all enwiki checkusers are in a position they can judge for themselves that need and balance, and how (un)common. And yet, after knowing that, this is still the overwhelming view of multiple independent checkusers for that project. That should make one pause and think hard if maybe they know what they're saying, when they ask for this one project to gain a specific tor handling. After all most enwiki checkusers value freedom too, we're also one of the early adopters of IP block exemption to specifically allow users with a need, to override hard tor blocks. For the record, so there is no misassumption, confirming Andrew's comment that he has only the best interests of the project at heart. That was my impression of his stance. Where we've not resolved things is more, that Andrew hopes there is a "wriggle" that would mean tor wouldn't need hard blocking on en wiki... and despite trying I've just not yet come close to that view, nor a way that might bypass the need via software :-/ So I have to stand and say I would still rather when TorBlock is configured, let the config for en wiki be a hard block norm, not a soft block one. I have no urge to propose what other projects might find individually best, or the settings which may fit their profile of vandalism and experience, other than to encourage them to choose based on their own project's needs too, which they presumably will. The en wiki preference (if a general stance can be drawn from this thread) is a default to hard-block, plus exemption, rather than a default to soft-block, plus retrospective abuse handling. Not a demand that any other wiki does differently than what is best for them, or that all projects must do so. FT2

1 0

TorBlock extension enabled
by FT2 08 Jun '08

08 Jun '08

> Living in a Western democracy doesn't necessarily mean that you can surf > the web or use internet services freely, look at all those blocks for > Bittorrent, the dozens of blocks for Nazi hosters, and especially the > German court decision about YouPorn, which actually led to >2 million > websites being invisible by Arcor customers; they can only be helped > through proxys (though I don't think watching porn via proxys is good). > > Marco Most ISPs and indeed most places generally, even workplaces, don't block Wikipedia. "Argumentum ad YouPorn" won't really apply. FT2

2 1

TorBlock extension enabled
by FT2 07 Jun '08

07 Jun '08

> Andrew Garrett andrew at epstone.net > Sat Jun 7 08:28:10 UTC 2008 > > I had a discussion with FT2 on IRC a few hours ago. He said that he > would be happy to have a soft-block, with these provisions: > 1. A special page exists which allows the monitoring of recent tor > edits. Perhaps Special:Recentchanges/tor? > 2. A new protection level is added, which allows tor users to be > prevented from editing an article, which, for instance, has concerns > with regard to sockpuppeting and so on. > > What do others think of these? > > -- > Andrew Garrett Apologies, I sadly need to correct this. We spoke at length. The topic was Andrews question "what software or other measures might mean I would feel able to change my current view and endorse a soft-block approach to tor". We spoke at length exploring ideas, one of which was perhaps a way to protect a page so that tor could not be used on it (unless a user who was specifically IP block exempt). This was joint exploration of a difficult problem, and the question was a good one. However about an hour into the conversation I came to understand that TorBlock was not now going to be used as I had thought, to require a long autoconfirm (many days + many edits). Even with a long "autoconfirm" period I was not sure any solution below hard blocking was possible. But we tried to see if we could find ideas anyway. With my understanding corrected, and no "long extended period" I dead-ended. With regret I therefore have to correct the mis-impression that I would be "happy" to have a soft-block on these conditions. I tried hard, and both of us talked for a long time, exploring many novel options, but I was not able to find any that did the job short of hard blocking, even so :-/ I'm very very sorry if I had left Andrew with that incorrect impression. We tried hard to brainstorm "what could be done in software that might make it practicable to avoid ". We looked at many ideas, and did so positively and constructively. But ultimately nothing came up that would actually fix the main problem at all, other than hard blocking, and that remains therefore my current view on it. Tor hard blocked + IP block exemption for those needing it. We just get too much tor abuse (including quite sophisticated abuse) to do less on this specific wiki, even if it is not that way on other wikis. :-/ FT2

1 0

IPv6 problem
by shi zhao 07 Jun '08

07 Jun '08

via IPv6 tunnel sixxs.org acess wikimedia. In edit mode, all external links force add suffix ".sixxs.org", and save. IPv4 can't acess these links. see http://en.wikipedia.org/w/index.php?title=Special%3ALinksearch&target=*.six… http://toolserver.org/~eagle/linksearch?search=*.sixxs.org&totalwikis=57 -- Chinese wikipedia: http://zh.wikipedia.org/ My blog: http://talk.blogbus.com [[zh:User:Shizhao]]

4 3

Password hash format
by Tim Starling 07 Jun '08

07 Jun '08

Password hashes were the hobby horse that first convinced me to get involved in MediaWiki programming, back in 2003. Here's my outraged post: http://marc.info/?l=wikitech-l&m=104904771815534&w=2 The relevant code was the first code I wrote for MediaWiki. Looking back now, my immaturity as a programmer at the time shows through, and if someone tried to submit something similarly naive today, I'd hope that we'd have a few senior developers around (e.g. me) to point out its problems and send it back for a rewrite. The idea was to use md5($userId.'-'.md5($password)) as a hash. This has a number of problems: * There's no way to tell whether a hash is in the old style or the new style. So migration is difficult and error-prone. * The migration issues will be repeated every time we have to change hash functions, which might be every decade or so due to improving cryptanalysis and computing power. * It links the password to the user ID, making it impossible to transfer passwords from one user to another. * The salt always has the same value on single-user wikis (1), so it's insecure. The obvious solution is to attach the salt to the hash. Luckily user_password has been a tinyblob since the dawn of time, so we're not space-constrained. We could store the salt in a different field (like what's done in CentralAuth), but that wouldn't solve quite so many of the problems listed above. So I've committed a hash format change, so that salted hashes look like this: :B:a2a5c3b9:44ebabb085ce78dd20c2d59c51e4080c That is, a type "B" hash, with salt "a2a5c3b9" and MD5 hash "44ebabb085ce78dd20c2d59c51e4080c". The way the salt and the password are mixed together is the same as in the old system, so you can migrate to this password format simply by prepending :B: and the user ID. Unsalted hashes look like this: :A:d41d8cd98f00b204e9800998ecf8427e Password hashes will be migrated to the :A: or :B: style on upgrade, and after that, you'll be able to switch $wgPasswordSalt on and off at will, and all passwords will continue to work. Before upgrade, the software will understand the old-style hashes, but it requires $wgPasswordSalt to be set correctly. When we eventually migrate from MD5 to Tiger/192 or whatever, we can introduce a type "C" hash and then convert the old hashes at our leisure. This change has been on my mind for a while, but the immediate motivation is bug 14330. -- Tim Starling

7 7

TorBlock to specific, why not create a SimpleTor Extension?
by DanTMan 07 Jun '08

07 Jun '08

TorBlock is a bit to specific in what it does for how generic half the code is. Part of what TorBlock does is the actual identification of Tor exit nodes, however that's not something specific to TorBlock. There are a lot of other uses like CheckUser identification, extensions to note Tor usage in places in the UI, or even alternative things like ConfirmEdit could require captcha from an anon Tor user rather than flat blocking anon Tor users depending on local policy. But basically what I'm saying is, just like how we have SimpleRegex which is used by two or more of the Regex based extensions, It would be nice if half of TorBlock was cut out into a SimpleTor extension which would handle the basic parts of identifying Tor nodes. Then we could make features in other extensions depend on SimpleTor and use it's shared functionality to build those checks in. -- ~Daniel Friesen(Dantman) of: -The Nadir-Point Group (http://nadir-point.com) --It's Wiki-Tools subgroup (http://wiki-tools.com) --Games-G.P.S. (http://ggps.org) -And Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG)

2 2

TorBlock extension enabled
by FT2 06 Jun '08

06 Jun '08

Some notes on experience of tor, and IP block extension, and the use of TorBlock on enwiki TORBLOCK AND TOR USAGE: Enwiki for some reason seems to get a lot of heavy duty sock usage and editing abuse. Tor is highly abused, enough that tor has a "hard block on sight" approach pretty much. About a month ago, IP block extension was enabled on enwiki. This was rolled out carefully on all sides, in view of past rollouts that had not gone smoothly. It was a success. The developers did not enable it until there was a clear communal consensus backed by a clear community policy. The community created that policy and allowed it to stabilize. The issues were considered carefully and a balanced approach created, which to date has worked very well. IP block exemption has broadly, two main uses -- a good-faith editor who wishes to use their native IP, which is range-blocked for abuse prevention, and an editor who is firewalled and cannot access WMF IP's safely other than via an anonymizing proxy system such as Tor. Unfortunately IP block exemption is also gold dust for account abusers - we have on enwiki regular cases of extremely skilful sock-puppet abusers, including at least two sock-masters who went as far as to get +sysop on a new account, specifically in order to modify blocking of tor proxies, to enable their other socks to edit in a manner that would defeated checkuser. We resolved this by instigating an IP block exemption policy that was very strict, to ensure admins wouldn't abuse the grant of the right (and could be verified to have done so wrongly if needed) - those whose native IPs are blocked can request IP exemption /provided/ they don't use it to edit via a proxy (which means they remain low risk and any admin can handle granting it), and any user wanting to edit via an anonymizing proxy has their request discussed first by the community, to prevent admins quietly giving it to their socks and making excuses later. So far it's worked well, a dozen or so users on vandal ranges, two Chinese editors, a number of bots, and a user who after discussion was agreed to be trusted not to sock, have all been given IP block exemption. What is relevant in all this, for TorBlock, is the communal agreement that Tor (and other anonymizing proxies) are a special case, and that we treat them on enwiki as ideally /not/ to be used other than under exceptional conditions such as hard anti-vandal range blocks (if confirmed) and the Chinese or other firewalls (subject to communal consensus). We haven't mass-blocked them before simply because of the technical problems of doing so. I cannot speak for other wikis, but with IP block exemption working out so well, we probably have no real need to keep tor open at all. The ability to defeat CheckUser is an admin right, permits easy socking, and requires a degree of communal trust. If there is a genuine need, then we have it in place, now, that the request will be considered communally and if agreed, granted. The strictness of the process has meant that this right can be given when genuinely helpful, without major concerns over abuse. All wikis differ, but on enwiki, the option I would expect most sensible, would be hard blocking of all tor nodes for a reasonable time, or until they have ceased to be tor nodes for a while. (I understand that other wikis may find autoconfirmed or other settings more useful instead.) Enwiki checkusers almost unanimously have a view that tor and other proxies are a major source of disruptive editing. We have IP block exemption in place; tor seems to be a preferred route for problem editing, and if someone does need to edit via tor for a legitimate reason we can easily accommodate it via IP block exemption. MARKING OF EDITS A second issue, the marking of edits (revisions/diffs/contribs/history/checkuser/oversight) as having been made via a tor node, would be extremely helpful. For enwiki, one option might be to show this to admins or wider users, as well as checkusers. I've summed up the emails covering this, below. Best, FT2 ----- cu-list email #1 (Response to comment that there are many wikis with different needs) Nobody is disputing that different wikis have different needs. The enwiki project (as pointed out) has IP block exemption enabled, and has checkusers who strongly feel that project would benefit from hard blocking tor in this extension's use. Other projects (as you and others rightly point out) may have completely different needs and views. What I guess this means is, the tor extension needs to be per-wiki configured, but that's hardly a surprise. Ie, same as settings for other features that vary between projects. ----- Email #2 (Response re concern that tor is fluid) As I understand it, the extension updates its cache of tor nodes every hour, and edits are marked as "tor" if they come from a node that's currently stated to be tor, not just "was a tor node some time in the last 2 months". It's apparently very specific that at or within a very few hours of the edit it was actively indexed as a tor exit node, hence its usefulness. Werdna has confirmed. ----- Email #3 & #4 (Response on WMF privacy policy) >From time to time, 1/ general information such as ISP/country are in fact placed on-wiki during the course of a checkuser case, and 2/ this is specifically endorsed by WMF guidance/help information for checkusers. >From [[Meta:Help:Checkuser]], the main WMF guidance page, the full quote: June 2008: "Wikimedia privacy policy: [...] The following information is commonly permissible. This list is not comprehensive, and cannot replace the checkuser's judgment... [...] the ISP edited from, if it is large enough that the information is not personally identifiable; the country, which is generally not personally identifiable." The first versions of the WMF guidance/help page from October 2005 stated the same: Oct 2005: "If they're on a large ISP (e.g. AOL, NTL, BT, Telstra), they're one of millions and it's not personally identifiable." "Revealing the country is generally not personally identifiable (e.g. "User:Querulous is coming in from the UK, User:Sockpuppet is coming in from Canada")." http://meta.wikimedia.org/w/index.php?title=Help:CheckUser&oldid=226259 To support the statement that this is followed in practice as well as "on paper", a quick search gave some specific case examples: [[RFCU/Case/Cplot]] - "I have pinpointed a couple of Illinois Comcast addresses" ... "The IPs come from Sprint PCS" [[User:MER-C/Blu_Aardvark_RFCU]] - "Usual group of AOL and CenturyTel IPs" [[RFCU/Case/JB196]] - "he has resorted to using anonymous AOL Proxies" [[RFCU/Case/Tajik]] - "Unrelated. Anoshirawan is in the US." If naming a country or (large) ISP would not be considered a privacy issue, then a flag indicating "this edit was made via tor" is not a privacy issue either. It in no way is personally identifying to say "this edit was made via an anonymizer". What does matter is the potential it has, for drawing attention to a user and encouraging speculative or bad faith conclusions (eg: "they use tor so they must be a sock/hiding something/up to no good/etc"). I'd be tempted to limit it primarily for the latter reason rather than for privacy reasons. In general it may not be a bad thing to let admins see that info in contribs, diffs and edit histories, as admins do a lot of the initial multiple account spotting for the project. Not making it public to all, and limiting it to admins, will cut most of the problematic usage. As privacy policy doesn't seem to be an apparent issue, the core question about "who is safe to know" is much more about avoidance of unhelpful, unfair, and often tenuous speculation. I think admins are probably safe on the whole, to trust with that level of information. Worth trialling anyway; and agreeing it may vary by wiki. ----- Email #5 (Response to impact of auto-tor blocking) Noted that since anon IPs don't get even autoconfirmed, and Werdna's new extension would block tor edits unless at a minimum autoconfirmed (and optionally may hard block them on some projects), then under what circumstances will unlogged-in IPs be able to make edits to WMF projects via tor in future? Is the information that an anon edit was made via tor, likely to arise, or actually be meaningful, in future? ----- Email #6 (Comment on publicity of TorBlock settings) In any event, can we perhaps agree to keep private the exact requirements for TorBlock extension to allow tor editing on projects, much as we do the length of time that checkuser data is kept, for the same reason -- if it's apparently "large", and a specific limit is not well known, then it won't be so readily gamed. Best, FT2

3 2

Re: [Wikitech-l] [MediaWiki-CVS] SVN: [35960] trunk/phase3
by Chad 06 Jun '08

06 Jun '08

On Thu, Jun 5, 2008 at 8:46 PM, <brion(a)svn.wikimedia.org> wrote: > Revision: 35960 > Author: brion > Date: 2008-06-06 00:46:56 +0000 (Fri, 06 Jun 2008) > > Log Message: > ----------- > Revert r35901 -- UI regressions (ipb_already_blocked appears to have changed format, spewing giant red HTML all over everything) > > Modified Paths: > -------------- > trunk/phase3/RELEASE-NOTES > trunk/phase3/includes/SpecialBlockip.php > trunk/phase3/languages/messages/MessagesEn.php > > Modified: trunk/phase3/RELEASE-NOTES > =================================================================== > --- trunk/phase3/RELEASE-NOTES 2008-06-05 23:59:42 UTC (rev 35959) > +++ trunk/phase3/RELEASE-NOTES 2008-06-06 00:46:56 UTC (rev 35960) > @@ -338,7 +338,6 @@ > * (bug 14385) "Move subpages" option no longer tries to move to invalid titles > * (bug 14386) Fix subpage namespace oddity when moving a talk page > * (bug 11771) Signup form now not shown if in read-only mode. > -* (bug 10080) Users can now modify an existing block without unblocking first. > * (bug 12859) $wgRateLimitsExcludedGroups has been deprecated in favor of > $wgGroupPermissions[]['noratelimit']. > * (Bug 13828) Split parameter $1 of MediaWiki:Missingarticle into $1 (=title) > > Modified: trunk/phase3/includes/SpecialBlockip.php > =================================================================== > --- trunk/phase3/includes/SpecialBlockip.php 2008-06-05 23:59:42 UTC (rev 35959) > +++ trunk/phase3/includes/SpecialBlockip.php 2008-06-06 00:46:56 UTC (rev 35960) > @@ -47,32 +47,10 @@ > # var $BlockEmail; > > function IPBlockForm( $par ) { > - global $wgRequest, $wgUser, $wgLang; > + global $wgRequest, $wgUser; > > $this->BlockAddress = $wgRequest->getVal( 'wpBlockAddress', $wgRequest->getVal( 'ip', $par ) ); > $this->BlockAddress = strtr( $this->BlockAddress, '_', ' ' ); > - $this->AlreadyBlocked = false; > - > - if( $this->BlockAddress && !$wgRequest->wasPosted() ){ > - $this->mBlock = new Block(); > - if( $this->mBlock->load($this->BlockAddress) ) { > - $this->AlreadyBlocked = true; > - $this->BlockReason = wfMsgForContent( 'ipb_modifying_block' ); > - $this->BlockReasonList = $wgRequest->getText( 'wpBlockReasonList' ); > - $this->BlockExpiry = wfMsg('ipbotheroption'); > - $this->BlockOther = $wgLang->timeanddate( $this->mBlock->mExpiry ); > - $this->BlockAnonOnly = $wgRequest->getBool( 'wpAnonOnly', true ); > - $this->BlockCreateAccount = $wgRequest->getBool( 'wpCreateAccount', true ); > - $this->BlockEnableAutoblock = $wgRequest->getBool( 'wpEnableAutoblock', true ); > - $this->BlockEmail = $wgRequest->getBool( 'wpEmailBan', false ); > - $this->BlockEmail = $this->mBlock->mBlockEmail; > - $this->BlockWatchUser = $wgRequest->getBool( 'wpWatchUser', false ); > - # Re-check user's rights to hide names, very serious, defaults to 0 > - $this->BlockHideName = ( $this->mBlock->mHideName && $wgUser->isAllowed( 'hideuser' ) ) ? 1 : 0; > - return true; > - } > - } > - > $this->BlockReason = $wgRequest->getText( 'wpBlockReason' ); > $this->BlockReasonList = $wgRequest->getText( 'wpBlockReasonList' ); > $this->BlockExpiry = $wgRequest->getVal( 'wpBlockExpiry', wfMsg('ipbotheroption') ); > @@ -133,10 +111,6 @@ > wfMsgForContent( 'ipbreasonotherlist' ), '', 'wpBlockDropDown', 4 ); > > global $wgStylePath, $wgStyleVersion; > - if( $this->AlreadyBlocked ) { > - $wgOut->addHTML( Xml::element( 'p', array ( 'class' => 'error' ), > - wfMsg( 'ipb_already_blocked', $this->BlockAddress ) ) ); > - } > $wgOut->addHTML( > Xml::tags( 'script', array( 'type' => 'text/javascript', 'src' => "$wgStylePath/common/block.js?$wgStyleVersion" ), '' ) . > Xml::openElement( 'form', array( 'method' => 'post', 'action' => $titleObj->getLocalURL( "action=submit" ), 'id' => 'blockip' ) ) . > @@ -384,10 +358,7 @@ > if (wfRunHooks('BlockIp', array(&$block, &$wgUser))) { > > if ( !$block->insert() ) { > - // Block already exists. Silently delete the existing block and insert it again > - $oldblock = Block::newFromDB( $this->BlockAddress ); > - $oldblock->delete(); > - $block->insert(); > + return array('ipb_already_blocked', htmlspecialchars($this->BlockAddress)); > } > > wfRunHooks('BlockIpComplete', array($block, $wgUser)); > > Modified: trunk/phase3/languages/messages/MessagesEn.php > =================================================================== > --- trunk/phase3/languages/messages/MessagesEn.php 2008-06-05 23:59:42 UTC (rev 35959) > +++ trunk/phase3/languages/messages/MessagesEn.php 2008-06-06 00:46:56 UTC (rev 35960) > @@ -2360,9 +2360,7 @@ > 'block-log-flags-noemail' => 'e-mail blocked', > 'range_block_disabled' => 'The sysop ability to create range blocks is disabled.', > 'ipb_expiry_invalid' => 'Expiry time invalid.', > -'ipb_already_blocked' => 'Caution: "$1" is already blocked. > -You can modify the block settings by using this form.', > -'ipb_modifying_block' => 'Modifying existing block:', > +'ipb_already_blocked' => '"$1" is already blocked', > 'ipb_cant_unblock' => 'Error: Block ID $1 not found. It may have been unblocked already.', > 'ipb_blocked_as_range' => 'Error: The IP $1 is not blocked directly and cannot be unblocked. > It is, however, blocked as part of the range $2, which can be unblocked.', > > > > _______________________________________________ > MediaWiki-CVS mailing list > MediaWiki-CVS(a)lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs > Yes, ipb_already_blocked was repurposed for use as the "This user has already been blocked, but you can modify if if you'd like" message. Is there a problem with it being reused, or it being spit out with class="error"? -Chad

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Wikitech-l June 2008