I'm definitely supportive of greater security for sitewide JS/CSS, but
Bart's proposal is an interesting one. (Sorry for top posting, on mobile)
What if we required review of edits to JS/CSS in the MediaWiki namespace
(not in other namespaces), ala pending changes or something similar? We
require code review in Gerrit, so why not sitewide code in the wiki?
I propose this because if we split code editing rights into a separate
userright, this entails increased process bloat for managing who and who
doesn't get the right, the criteria for deciding that, and so on. Requiring
code review would allow for more flexibility while increasing security. It
would require less process bloat too because the community already has
mechanisms for requesting edits be confirmed via talk pages and such.
On Mon, Jun 11, 2018 at 8:15 AM Bart Humphries <bart.humphries(a)gmail.com>
wrote:
" I remember a situation when I posted a fix for
a script in the
MediaWiki namespace
as an {{edit request}}, and a well-meaning administrator tried to "improve"
my line of code and forgot a comma, breaking all JavaScript for all
logged-in as well as not logged-in Wikipedia editors and readers for some
painful minutes"
Everyone makes mistakes. I presume that under this revised proposal, that
administrator would still have had JS edit permission, and might have still
made the mistake. I mean, they apparently knew JS well enough to have been
able to pass whatever test would have been required to get that permission
added to their account.
Perhaps we need a real test environment of some sort, so that changes like
that must be run on the test server for X [time period] before being pushed
to live? Changes can't happen on live until there's some sort of consensus
that the test code actually works as run -- any additional changes reset
the test time period counter before it can be pushed to live.
Bart Humphries
bart.humphries(a)gmail.com
(909)529-BART(2278)
On Mon, Jun 11, 2018 at 7:40 AM, Thiemo Kreuz <thiemo.kreuz(a)wikimedia.de>
wrote:
> Is there any historical evidence that sysops
being able to edit JS /
CSS
caused some serious issues?
Oh yes, this happens more often than I feel it needs to. I remember a
situation when I posted a fix for a script in the MediaWiki:…
namespace as an {{edit request}}, and a well-meaning administrator
tried to "improve" my line of code and forgot a comma, breaking all
JavaScript for all logged-in as well as not logged-in Wikipedia
editors and readers for some painful minutes.
I believe such can be avoided with more clear roles that are visible
for everybody. A separate "tech admin" role would also allow
volunteers to apply for exactly that, and not be asked why they don't
do enough "administrator actions" with their privileges.
Sure, this is anecdotal evidence. Please forgive me, but I currently
don't have the time to find the pages documenting these situation.
Best
Thiemo
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l