On 10/28/15, MZMcBride <z(a)mzmcbride.com> wrote:
Ricordisamoa wrote:
ALL of my OAuth applications expired without
anyone noticing. Whom am I
supposed to lobby to get one approved?
Hi.
This rant doesn't seem very random. :-)
This sounds like <https://phabricator.wikimedia.org/T67750> (you're
already subscribed). Also <https://phabricator.wikimedia.org/T61772> and
<https://phabricator.wikimedia.org/T103587>.
I don't really understand why an approvals process exists. When I asked in
2014, the answer was "we weren't sure how it was going to be used, and
what way we would need to extend the protocol." It's been over a year and
I still don't really know what that means. That same note indicated a
willingness to fully re-examine the OAuth workflow, so given that it's now
late 2015, here are the options I see, in order of preference:
* kill the approvals queue altogether;
* distribute the approvals process to the Wikimedia stewards;
* distribute the approvals process to additional Wikimedia Foundation
employees; or
* keep the status quo.
It's difficult for me to figure out how realistic option 1 (killing the
queue) is because I continue to have an incomplete understanding of OAuth
and specifically why an approvals process was ever put into place.
Given that several Wikimedians have complained about the speed of the
approvals process, it seems like option 4 (keeping the current situation)
is a no-go. That leaves us with options 2 and 3 (expanding the pool of
approvers) as the most straightforward choices.
Even if we implemented options 2 or 3 immediately, the lack of external
visibility into the queue and the lack of notifications for queue
submissions would very likely also need to be addressed. Option 1 would
obviate the need for such additional features, of course.
MZMcBride
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The response on
https://meta.wikimedia.org/wiki/Talk:Requests_for_comment/OAuth_handover
seems like meta admins don't seem thrilled about the idea of taking
this over. Although most of that seems like due to uncertainty of what
the consequences are of a bad app getting approved.
Based on that page, the reasons for a queue seem to boil down to
wanting the approver to be able to verify that the app is not
malicious, the app respects privacy and the app is not a desktop
client.
I'm not sure how necessary that all is, especially for apps with only
normal edit rights, or less. If an app maintainer tries to pull
anything silly, we can just block it. Users can already be tricked
into giving their password to someone malicious, at least this way we
can easily keep track of what's going on.
--
-bawolff