On 10/28/15, MZMcBride z@mzmcbride.com wrote:
Ricordisamoa wrote:
ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
Hi.
This rant doesn't seem very random. :-)
This sounds like https://phabricator.wikimedia.org/T67750 (you're already subscribed). Also https://phabricator.wikimedia.org/T61772 and https://phabricator.wikimedia.org/T103587.
I don't really understand why an approvals process exists. When I asked in 2014, the answer was "we weren't sure how it was going to be used, and what way we would need to extend the protocol." It's been over a year and I still don't really know what that means. That same note indicated a willingness to fully re-examine the OAuth workflow, so given that it's now late 2015, here are the options I see, in order of preference:
- kill the approvals queue altogether;
- distribute the approvals process to the Wikimedia stewards;
- distribute the approvals process to additional Wikimedia Foundation employees; or
- keep the status quo.
It's difficult for me to figure out how realistic option 1 (killing the queue) is because I continue to have an incomplete understanding of OAuth and specifically why an approvals process was ever put into place.
Given that several Wikimedians have complained about the speed of the approvals process, it seems like option 4 (keeping the current situation) is a no-go. That leaves us with options 2 and 3 (expanding the pool of approvers) as the most straightforward choices.
Even if we implemented options 2 or 3 immediately, the lack of external visibility into the queue and the lack of notifications for queue submissions would very likely also need to be addressed. Option 1 would obviate the need for such additional features, of course.
MZMcBride
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The response on https://meta.wikimedia.org/wiki/Talk:Requests_for_comment/OAuth_handover seems like meta admins don't seem thrilled about the idea of taking this over. Although most of that seems like due to uncertainty of what the consequences are of a bad app getting approved.
Based on that page, the reasons for a queue seem to boil down to wanting the approver to be able to verify that the app is not malicious, the app respects privacy and the app is not a desktop client.
I'm not sure how necessary that all is, especially for apps with only normal edit rights, or less. If an app maintainer tries to pull anything silly, we can just block it. Users can already be tricked into giving their password to someone malicious, at least this way we can easily keep track of what's going on.
-- -bawolff