I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship (and people with root access on the servers now have access to a file which contains login details for an 'emergency admin' account). So I have some questions:
* Who was removed? * Who still has access? ** Is the list on https://meta.wikimedia.org/wiki/System_administrators still up to date?
Also please ban the account of the user who created https://bugzilla.wikimedia.org/show_bug.cgi?id=50029
Alex Monk
On 22 June 2013 22:33, Alex Monk krenair@gmail.com wrote:
I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship (and people with root access on the servers now have access to a file which contains login details for an 'emergency admin' account). So I have some questions:
This wasn't a sudden removal - Andre discussed it with ops and emailed *every* admin first, so it's far less dramatic than you may think. He's also been working on https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy, which I believe has approval from the relevant people (I'm can't think who that is off the top of my head).
* Who was removed?
- Who still has access?
** Is the list on https://meta.wikimedia.org/wiki/System_administratorsstill
up to date?
The list was slightly out of date, I just fixed it. You can view the historyhttps://meta.wikimedia.org/w/index.php?title=System_administrators/table&action=history of the transcluded table to see who was removed.
Also please ban the account of the user who created https://bugzilla.wikimedia.org/show_bug.cgi?id=50029
Done, thanks.
On 2013-06-22 6:49 PM, "Thehelpfulone" thehelpfulonewiki@gmail.com wrote:
On 22 June 2013 22:33, Alex Monk krenair@gmail.com wrote:
I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship (and people with root access on the
servers
now have access to a file which contains login details for an 'emergency admin' account). So I have some questions:
This wasn't a sudden removal - Andre discussed it with ops and emailed *every* admin first, so it's far less dramatic than you may think. He's also been working on https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy, which I believe has approval from the relevant people (I'm can't think who that is off the top of my head).
Be that as it may, it still would have been nice for this to be publically discussed (or at least publically announced) especially given the current political controversies surounding rights removals from wmf services.
-bawolff
I'd also like to know this information. Being a Bugzilla admin and helping out with the bug workflow and security issues and whatnot has always been something I've wanted to do. But if the WMF is trying to consolidate for some reason...
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Sat, Jun 22, 2013 at 6:02 PM, Brian Wolff bawolff@gmail.com wrote:
On 2013-06-22 6:49 PM, "Thehelpfulone" thehelpfulonewiki@gmail.com wrote:
On 22 June 2013 22:33, Alex Monk krenair@gmail.com wrote:
I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship (and people with root access on the
servers
now have access to a file which contains login details for an
'emergency
admin' account). So I have some questions:
This wasn't a sudden removal - Andre discussed it with ops and emailed *every* admin first, so it's far less dramatic than you may think. He's also been working on
https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy,
which I believe has approval from the relevant people (I'm can't think
who
that is off the top of my head).
Be that as it may, it still would have been nice for this to be publically discussed (or at least publically announced) especially given the current political controversies surounding rights removals from wmf services.
-bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 06/22/2013 03:02 PM, Brian Wolff wrote:
On 2013-06-22 6:49 PM, "Thehelpfulone" thehelpfulonewiki@gmail.com wrote:
On 22 June 2013 22:33, Alex Monk krenair@gmail.com wrote:
I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship (and people with root access on the
servers
now have access to a file which contains login details for an 'emergency admin' account).
Details: https://wikitech.wikimedia.org/wiki/Bugzilla.wikimedia.org#How_to_log_in_as_...
So I have some questions:
This wasn't a sudden removal - Andre discussed it with ops and emailed *every* admin first, so it's far less dramatic than you may think. He's also been working on https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy, which I believe has approval from the relevant people (I'm can't think who that is off the top of my head).
Be that as it may, it still would have been nice for this to be publically discussed (or at least publically announced) especially given the current political controversies surounding rights removals from wmf services.
-bawolff
Thehelpfulone, thanks for the quick response here.
Andre and I have both been traveling today, and I think he might still be traveling for the next day or so, so I want to say what I know as we wait for something more definitive from Andre.
Andre mentioned the plans and linked to the draft guidelines in the April engineering report https://blog.wikimedia.org/2013/05/02/wikimedia-engineering-april-2013-repor... , and mentioned the reduction in the number of Bugzilla administrators in the May report https://blog.wikimedia.org/2013/06/10/wikimedia-engineering-may-2013-report/ , and I'm sorry you didn't see those. What can we do to ensure that more people see those updates? Regardless, perhaps we should have advertised the change more broadly.
I know Andre reached out to every existing Bugzilla admin, to WMF Operations, and to the WMF legal department during this process; I believe that he's just finalized the policy https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy with Legal late last week per https://www.mediawiki.org/wiki/Bug_management/status#2013-06-14 , and he's been at a conference all this week. Once it was finalized we should have communicated it more widely; this coming week I'll consult with Guillaume and Andre to make sure that happens.
Tyler wrote:
I'd also like to know this information. Being a Bugzilla admin and helping out with the bug workflow and security issues and whatnot has always been something I've wanted to do. But if the WMF is trying to consolidate for some reason...
One thing Andre did when reaching out to current administrators was to figure out what sorts of work they did and wanted to do, so as to properly use *groups* rather than simply giving out admin access for all those reasons. Chris Steipp wrote, "Giving users a special-purpose group instead of administrator supports w:Least_privilege, which is a good thing." ( https://www.mediawiki.org/wiki/User_talk:AKlapper_%28WMF%29/BugzillaAdminPol... )
My understanding is that approximately everyone who had their admin access removed simply got membership in groups to do the things they wanted to do, e.g., create new products, components, milestones, etc. For instance, James Forrester went from BZ admin to having pretty much all rights except BZ admin (edit users, products, components, milestones, and see security bugs). I am no longer a BZ admin since the reduction, so I don't know who's got what privileges, but I know it's not just Foundation staff. For some more details on what kinds of tasks require (or might require) Bugzilla admin rights, see https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy#Ta... and http://blogs.gnome.org/aklapper/2013/05/28/understanding-bugzilla-groups-and... . Basically, people can do administrative stuff without being BZ administrators.
We're definitely interested in helping people help Wikimedia on bug workflow and security issues! It would be necessary for you to sign a nondisclosure agreement to access security bugs or to get BZ admin access to edit the workflow, I believe (from my reading of the policy). But Andre would know more. Andre?
On Sun, Jun 23, 2013 at 2:31 AM, Sumana Harihareswara <sumanah@wikimedia.org
wrote:
My understanding is that approximately everyone who had their admin access removed simply got membership in groups to do the things they wanted to do, e.g., create new products, components, milestones, etc. For instance, James Forrester went from BZ admin to having pretty much all rights except BZ admin (edit users, products, components, milestones, and see security bugs). I am no longer a BZ admin since the reduction, so I don't know who's got what privileges, but I know it's not just Foundation staff. For some more details on what kinds of tasks require (or might require) Bugzilla admin rights, see
https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy#Ta... and
http://blogs.gnome.org/aklapper/2013/05/28/understanding-bugzilla-groups-and... . Basically, people can do administrative stuff without being BZ administrators.
This makes a lot of sense. In other words, it wasn't so much as "all the admins were removed" as it was "all the admins were categorized by what they need to be able to do". In that case I totally understand the shift.
The only thing I'd recommend is to still maintain a public list of who has what rights, mainly for the purpose of contact info should somebody need something done in Bugzilla or have a question.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
I've linked the new policy from [[mw:Bugzilla]]. (In general, some sort of announcement when policies are enacted would be nice.) I didn't remember hearing of any such new policy coming and the only mention of rights removal was James_F on IRC saying he no longer was admin but was still able to add editbugs to users; reading the page I remember I read some version of it, but I only saw 1) general advice on coordination, 2) some principles + the recent thing about NDA we already heard before, 3) docs on bugzilla software. So it didn't look like anything was changing.
Nemo
Trying to reply to this thread in one message:
On Sat, 2013-06-22 at 22:33 +0100, Alex Monk wrote:
I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship
Thanks for everybody's comments, and especially Sumana for quickly summarizing the situation while I was offline.
There might be some misconception what "Bugzilla admin rights" means. "admin" sounds powerful, but in general Bugzilla admin rights are only required for a few rather uncommon actions. Also see http://blogs.gnome.org/aklapper/2013/05/28/understanding-bugzilla-groups-and...
The only *common* action that requires admin rights is editing permissions of other Bugzilla users [1], and this is definitely an area to reevaluate if things get worse, e.g. our reaction to spamming in Bugzilla. It might not be a good reason for more admins per se, but maybe for more admins in different timezones... :-)
I tried to keep the policy short and simple: https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy Trying to work transparently, I also kept https://meta.wikimedia.org/w/index.php?title=System_administrators#List up-to-date (I kept Bugzilla users with "editusers" rights listed as admins [1], that's why there was a diff that Thehelpfulone corrected), and I mentioned the policy in my (nearly weekly) status updates [3], in an IRC office hour [4], and in monthly reports [5].
But it looks like I failed to recognize expectations on communicating this more widely because of the small number of currently affected people (~20) which I had contacted beforehand, and I ignored informing future Bugzilla admins out there which would also be affected by this. I'm sorry for that, it was (and still is) planned to announce this more widely, but I wasn't fast enough. :-/
So this is not about cutting out volunteers or so, as we have the same amount of Bugzilla admin volunteers as a few months ago. This is about giving people more fine-grained permissions for those tasks that they actually perform. The principle of least privilege.
When ~30 people can change taxonomy or settings in Bugzilla like before, people do not always inform each other and sometimes duplicate efforts [2] and create inconsistency (e.g. adding subproject-specific but systemwide keywords). This is something to avoid, hence the policy.
Version 4.2 of Bugzilla that we run now finally creates a log of taxonomy changes. It is planned to set up a cronjob to regularly inform me (and other admins interested) of changes that took place [6], as another backup source of information (it does not fully replace *discussing* the usefulness of a change first, though).
I hope this covers most of the concerns. If you have more questions or if something is unclear, please don't hesitate to ask!
Thanks, andre
[1] Editing users requires "editusers" rights, but with "editusers" rights you can also edit your own account and make yourself an admin. [2] MediaWiki/Javascript component vs javascript keyword vs bug 2114, "newparser" keyword vs Parsoid product, "analytics" keyword vs. Analytics product, "newphp" keyword vs PHP4.x tracking bug 30092, "tracking" keyword vs tracking meta bug 2007, to mention a few still existing examples of missing coordination. [3] http://www.mediawiki.org/wiki/Bug_management/status [4] http://meta.wikimedia.org/wiki/IRC_office_hours/Office_hours_2013-05-13 [5] https://blog.wikimedia.org/2013/05/02/wikimedia-engineering-april-2013-repor... and https://blog.wikimedia.org/2013/06/10/wikimedia-engineering-may-2013-report/ [6] https://gerrit.wikimedia.org/r/#/c/56562/
Andre Klapper aklapper@wikimedia.org wrote:
[...]
Version 4.2 of Bugzilla that we run now finally creates a log of taxonomy changes. It is planned to set up a cronjob to regularly inform me (and other admins interested) of changes that took place [6], as another backup source of information (it does not fully replace *discussing* the usefulness of a change first, though).
[...]
Perhaps we could dump the taxonomy regularly to a wiki? Then non-admins could watch that page and keep themselves informed as well.
Tim
Hi Tim,
On Mon, 2013-06-24 at 15:14 +0000, Tim Landscheidt wrote:
Perhaps we could dump the taxonomy regularly to a wiki? Then non-admins could watch that page and keep themselves informed as well.
Could you file an enhancement request in bugzilla.wikimedia.org under "Wikimedia > Bugzilla" so we won't forget?
Thanks, andre
wikitech-l@lists.wikimedia.org