Jens Frank wrote:
We'll create some new indexes that should improve site performance. To do this, we need to set the wikis to read only at 3 a.m. UTC (5a.m. Berlin/Paris, about 10 p.m. Chicago). The downtime will take about 2 hours.
While we're on this, that would be a good time to run the password hash salting.
We'd originally held off on that because a migration to shared user accounts could change user IDs (and thus the salt), breaking all password hashes. However it looks like the type of shared account system we'll end up with is going to be a central account + local accounts, and a mass migration isn't necessary: people will 'upgrade' their accounts and be able to punch in their password for confirmation at the time.
For that type of scheme the salt will not be an issue, so we've got no excuse not to do it.
(For those who didn't notice, Slashdot ran a scaremongering "story" today about a list of troll accounts Tim made almost a year ago by comparing password hashes under the title "Wikipedia Leaks Some Users' Passwords". Slashdot's fun, but it's not journalism; don't expect to ever get an e-mail from a Slashdot editor asking for comment or confirmation on facts... Anyway, at least it reminded us we haven't finished the salted hash transition.)
-- brion vibber (brion @ pobox.com)