ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
On 10/27/15, Ricordisamoa ricordisamoa@openmailbox.org wrote:
ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I suppose these people: https://meta.wikimedia.org/w/index.php?title=Special%3AListUsers&usernam...
-- -bawolff
On Tue, Oct 27, 2015 at 11:23 PM, Brian Wolff bawolff@gmail.com wrote:
On 10/27/15, Ricordisamoa ricordisamoa@openmailbox.org wrote:
ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I suppose these people:
https://meta.wikimedia.org/w/index.php?title=Special%3AListUsers&usernam...
Yes, bug one of us for now. I talked with the Stewards about taking on the process last week, and we're in the process of making that transition.
I think the point of the approval process is that I don't install OAuth
app key in the application like Vicuña (https://github.com/yarl/vicuna).
This is the only argument I have heard in favor of keeping the review queue, and yet, I don't see how such an issue would be caught in review of a consumer application.
Is there a clearly good reason that we need to continue this review process? If not, I find it very frustrating that we're slowing things down so much because of imagined boogie-men. The idea of permission-just-in-case-someone-does-a-bad-thing is opposed to the wiki model of keeping things as open as possible and addressing problems as they happen. In the meantime, we're encouraging bad behavior by making the OAuth system such a pain to work with. I understand that you're doing this in your free time csteipp, but the pain of delays is still inflicted on tool developers all the same. Maybe it is inappropriate that such a key infrastructure (and official requirement for Labs-based tools) is left up to volunteer time of someone who is apparently overworked.
1. How long is this transition process supposed to take? 2. Should I start making my argument to the Stewards now? 3. Is there a public conversation about this transition that I can participate in?
-Aaron
On Wed, Oct 28, 2015 at 10:50 AM, Chris Steipp csteipp@wikimedia.org wrote:
On Tue, Oct 27, 2015 at 11:23 PM, Brian Wolff bawolff@gmail.com wrote:
On 10/27/15, Ricordisamoa ricordisamoa@openmailbox.org wrote:
ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I suppose these people:
https://meta.wikimedia.org/w/index.php?title=Special%3AListUsers&usernam...
Yes, bug one of us for now. I talked with the Stewards about taking on the process last week, and we're in the process of making that transition. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Oct 28, 2015 at 10:10 AM, Aaron Halfaker ahalfaker@wikimedia.org wrote:
- Is there a public conversation about this transition that I can
participate in?
Yes! https://meta.wikimedia.org/wiki/Requests_for_comment/OAuth_handover
Bryan
Sorry, I know about that RFC Bryan. I was referring to the conversation with the Stewards about "taking on the process" that Chris referred to.
On Wed, Oct 28, 2015 at 11:39 AM, Bryan Davis bd808@wikimedia.org wrote:
On Wed, Oct 28, 2015 at 10:10 AM, Aaron Halfaker ahalfaker@wikimedia.org wrote:
- Is there a public conversation about this transition that I can
participate in?
Yes! https://meta.wikimedia.org/wiki/Requests_for_comment/OAuth_handover
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Oct 28, 2015 at 9:10 AM, Aaron Halfaker ahalfaker@wikimedia.org wrote:
Is there a clearly good reason that we need to continue this review process? If not, I find it very frustrating that we're slowing things down so much because of imagined boogie-men. The idea of permission-just-in-case-someone-does-a-bad-thing is opposed to the wiki model of keeping things as open as possible and addressing problems as they happen. In the meantime, we're encouraging bad behavior by making the OAuth system such a pain to work with. I understand that you're doing this in your free time csteipp, but the pain of delays is still inflicted on tool developers all the same. Maybe it is inappropriate that such a key infrastructure (and official requirement for Labs-based tools) is left up to volunteer time of someone who is apparently overworked.
I'm very happy for other people to join this process. I believe there's an open bug about making approvals automatic for non-controversial rights. Patches welcome.
- How long is this transition process supposed to take?
Not defined yet.
- Should I start making my argument to the Stewards now?
About what? If you have something that's not controversial, ping one of the admins, and I'm sure you can get your Consumer approved today.
- Is there a public conversation about this transition that I can
participate in?
The RFC is the correct place. The Stewards are just getting back from travelling so I don't think we've started updating it to account for our conversations last week, but that is where we will work out the details.
Indeed. That was good-faith "apparently" as in "the evidence suggests". Thank you for your explicit assumption of good-faith. I'm sorry I came off badly.
The argument I'd like to make to the Stewards is that (short of a good argument about why we should have a gate here) there should be no process for them to adopt.
-Aaron
On Wed, Oct 28, 2015 at 12:01 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Wed, Oct 28, 2015 at 9:10 AM, Aaron Halfaker ahalfaker@wikimedia.org wrote:
Is there a clearly good reason that we need to continue this review process? If not, I find it very frustrating that we're slowing things
down
so much because of imagined boogie-men. The idea of permission-just-in-case-someone-does-a-bad-thing is opposed to the wiki model of keeping things as open as possible and addressing problems as
they
happen. In the meantime, we're encouraging bad behavior by making the OAuth system such a pain to work with. I understand that you're doing
this
in your free time csteipp, but the pain of delays is still inflicted on tool developers all the same. Maybe it is inappropriate that such a key infrastructure (and official requirement for Labs-based tools) is left up to volunteer time of someone who is apparently overworked.
I'm very happy for other people to join this process. I believe there's an open bug about making approvals automatic for non-controversial rights. Patches welcome.
- How long is this transition process supposed to take?
Not defined yet.
- Should I start making my argument to the Stewards now?
About what? If you have something that's not controversial, ping one of the admins, and I'm sure you can get your Consumer approved today.
- Is there a public conversation about this transition that I can
participate in?
The RFC is the correct place. The Stewards are just getting back from travelling so I don't think we've started updating it to account for our conversations last week, but that is where we will work out the details. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Ricordisamoa wrote:
ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
Hi.
This rant doesn't seem very random. :-)
This sounds like https://phabricator.wikimedia.org/T67750 (you're already subscribed). Also https://phabricator.wikimedia.org/T61772 and https://phabricator.wikimedia.org/T103587.
I don't really understand why an approvals process exists. When I asked in 2014, the answer was "we weren't sure how it was going to be used, and what way we would need to extend the protocol." It's been over a year and I still don't really know what that means. That same note indicated a willingness to fully re-examine the OAuth workflow, so given that it's now late 2015, here are the options I see, in order of preference:
* kill the approvals queue altogether; * distribute the approvals process to the Wikimedia stewards; * distribute the approvals process to additional Wikimedia Foundation employees; or * keep the status quo.
It's difficult for me to figure out how realistic option 1 (killing the queue) is because I continue to have an incomplete understanding of OAuth and specifically why an approvals process was ever put into place.
Given that several Wikimedians have complained about the speed of the approvals process, it seems like option 4 (keeping the current situation) is a no-go. That leaves us with options 2 and 3 (expanding the pool of approvers) as the most straightforward choices.
Even if we implemented options 2 or 3 immediately, the lack of external visibility into the queue and the lack of notifications for queue submissions would very likely also need to be addressed. Option 1 would obviate the need for such additional features, of course.
MZMcBride
On 10/28/15, MZMcBride z@mzmcbride.com wrote:
Ricordisamoa wrote:
ALL of my OAuth applications expired without anyone noticing. Whom am I supposed to lobby to get one approved?
Hi.
This rant doesn't seem very random. :-)
This sounds like https://phabricator.wikimedia.org/T67750 (you're already subscribed). Also https://phabricator.wikimedia.org/T61772 and https://phabricator.wikimedia.org/T103587.
I don't really understand why an approvals process exists. When I asked in 2014, the answer was "we weren't sure how it was going to be used, and what way we would need to extend the protocol." It's been over a year and I still don't really know what that means. That same note indicated a willingness to fully re-examine the OAuth workflow, so given that it's now late 2015, here are the options I see, in order of preference:
- kill the approvals queue altogether;
- distribute the approvals process to the Wikimedia stewards;
- distribute the approvals process to additional Wikimedia Foundation employees; or
- keep the status quo.
It's difficult for me to figure out how realistic option 1 (killing the queue) is because I continue to have an incomplete understanding of OAuth and specifically why an approvals process was ever put into place.
Given that several Wikimedians have complained about the speed of the approvals process, it seems like option 4 (keeping the current situation) is a no-go. That leaves us with options 2 and 3 (expanding the pool of approvers) as the most straightforward choices.
Even if we implemented options 2 or 3 immediately, the lack of external visibility into the queue and the lack of notifications for queue submissions would very likely also need to be addressed. Option 1 would obviate the need for such additional features, of course.
MZMcBride
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The response on https://meta.wikimedia.org/wiki/Talk:Requests_for_comment/OAuth_handover seems like meta admins don't seem thrilled about the idea of taking this over. Although most of that seems like due to uncertainty of what the consequences are of a bad app getting approved.
Based on that page, the reasons for a queue seem to boil down to wanting the approver to be able to verify that the app is not malicious, the app respects privacy and the app is not a desktop client.
I'm not sure how necessary that all is, especially for apps with only normal edit rights, or less. If an app maintainer tries to pull anything silly, we can just block it. Users can already be tricked into giving their password to someone malicious, at least this way we can easily keep track of what's going on.
-- -bawolff
On 2015-10-28, Brian Wolff bawolff@gmail.com wrote:
I'm not sure how necessary that all is, especially for apps with only normal edit rights, or less. If an app maintainer tries to pull anything silly, we can just block it. Users can already be tricked into giving their password to someone malicious, at least this way we can easily keep track of what's going on.
I think the point of the approval process is that I don't install OAuth app key in the application like Vicuña (https://github.com/yarl/vicuna).
There is no clear consensus what to do with apps like this. One idea would be ever user needs to register it for themselves, but that of course wouldn't work with the permission queue.
~saper
On Wed, Oct 28, 2015 at 4:40 AM, Marcin Cieslak saper@saper.info wrote:
I think the point of the approval process is that I don't install OAuth app key in the application like Vicuña ( https://github.com/yarl/vicuna).
There is no clear consensus what to do with apps like this. One idea would be ever user needs to register it for themselves, but that of course wouldn't work with the permission queue.
Indeed - limit the app to the user who registered it, and auto-approve it (and maybe provide a more convenient alternative to browser redirects for getting the token which the application can use to edit). That's tracked in T87395 https://phabricator.wikimedia.org/T87395.
On Tue, Oct 27, 2015 at 11:33 PM, MZMcBride z@mzmcbride.com wrote:
Even if we implemented options 2 or 3 immediately, the lack of external visibility into the queue and the lack of notifications for queue submissions would very likely also need to be addressed.
The queue is public ( https://meta.wikimedia.org/wiki/Special:OAuthListConsumers?name=&publish... ) although some sort of notification or watchlist feature would be nice.
wikitech-l@lists.wikimedia.org