In a discussion in the German Pirate Party the idea came up that we might want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically signed wiki pages?
A brief and preliminaly scetch would mean that any user who provides a matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for vadility. Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an external online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
why do they need signed in the first place?
On Sun, Sep 13, 2015 at 5:39 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
In a discussion in the German Pirate Party the idea came up that we might want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically signed wiki pages?
A brief and preliminaly scetch would mean that any user who provides a matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for vadility. Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an external online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I guess this is to guard against the WMF changing content behind the scenes? Through court order or otherwise?
The pages are already cryptographically signed for transmission (tls), so you know you get what WMF servers want you to get, at least.
Greg
-- Sent from my phone, please excuse brevity. On Sep 13, 2015 6:45 AM, "John" phoenixoverride@gmail.com wrote:
why do they need signed in the first place?
On Sun, Sep 13, 2015 at 5:39 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
In a discussion in the German Pirate Party the idea came up that we might want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically signed wiki pages?
A brief and preliminaly scetch would mean that any user who provides a matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for
vadility.
Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an external online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The idea is that third parties can publish texts, such as theis statutes, via a open or public wiki, and readers can be sure to read, download, sign, and mail the originals. Another use would be to have pledges and petitions signed by many people. Etc. It is not about WMF-run Wikis.
Purodha
On 13.09.2015 18:09, Greg Grossmeier wrote:
I guess this is to guard against the WMF changing content behind the scenes? Through court order or otherwise?
The pages are already cryptographically signed for transmission (tls), so you know you get what WMF servers want you to get, at least.
Greg
-- Sent from my phone, please excuse brevity. On Sep 13, 2015 6:45 AM, "John" phoenixoverride@gmail.com wrote:
why do they need signed in the first place?
On Sun, Sep 13, 2015 at 5:39 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
In a discussion in the German Pirate Party the idea came up that
we might
want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically
signed
wiki pages?
A brief and preliminaly scetch would mean that any user who
provides a
matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for
vadility.
Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an
external
online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Obligatory XKCD: https://xkcd.com/538/
On Sun, Sep 13, 2015 at 9:20 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
The idea is that third parties can publish texts, such as theis statutes, via a open or public wiki, and readers can be sure to read, download, sign, and mail the originals. Another use would be to have pledges and petitions signed by many people. Etc. It is not about WMF-run Wikis.
Purodha
On 13.09.2015 18:09, Greg Grossmeier wrote:
I guess this is to guard against the WMF changing content behind the scenes? Through court order or otherwise?
The pages are already cryptographically signed for transmission (tls), so you know you get what WMF servers want you to get, at least.
Greg
-- Sent from my phone, please excuse brevity. On Sep 13, 2015 6:45 AM, "John" phoenixoverride@gmail.com wrote:
why do they need signed in the first place?
On Sun, Sep 13, 2015 at 5:39 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
In a discussion in the German Pirate Party the idea came up that we
might
want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically signed wiki pages?
A brief and preliminaly scetch would mean that any user who provides a matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for
vadility.
Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an external online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2015-09-13 18:47 GMT+02:00 Max Semenik maxsem.wiki@gmail.com:
Obligatory XKCD: https://xkcd.com/538/
Gotta draw another version with "try using 'password1' as password"
On Sun, Sep 13, 2015 at 5:39 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
In a discussion in the German Pirate Party the idea came up that we
might
want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically
signed
wiki pages?
A brief and preliminaly scetch would mean that any user who provides
a
matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for
vadility.
Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an external online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
IMHO a more legally binding solution would be attaching a signed plaintext containing page wikicode. This was identity check could be done also offline, without exclusively relying on site's infrastructure.
Vito
On 13/09/15 18:20, Purodha Blissenbach wrote:
The idea is that third parties can publish texts, such as theis statutes, via a open or public wiki, and readers can be sure to read, download, sign, and mail the originals. Another use would be to have pledges and petitions signed by many people. Etc. It is not about WMF-run Wikis.
Purodha
You can already use PGP-armored wikitext if you wanted to (you may want to parse it locally, ensure that it doesn't call unsigned templates, etc. but the option is there).
You will run into problems with transclusions http://www.w3.org/standards/techs/xmlsig#w3c_all
On Tue, Sep 15, 2015 at 1:54 AM, Platonides platonides@gmail.com wrote:
On 13/09/15 18:20, Purodha Blissenbach wrote:
The idea is that third parties can publish texts, such as theis statutes, via a open or public wiki, and readers can be sure to read, download, sign, and mail the originals. Another use would be to have pledges and petitions signed by many people. Etc. It is not about WMF-run Wikis.
Purodha
You can already use PGP-armored wikitext if you wanted to (you may want to parse it locally, ensure that it doesn't call unsigned templates, etc. but the option is there).
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Not to mention images, dynamic parser extensions that do not functionally depend on their input, changes to site javascript, etc.
On 9/14/15, John Erling Blad jeblad@gmail.com wrote:
You will run into problems with transclusions http://www.w3.org/standards/techs/xmlsig#w3c_all
On Tue, Sep 15, 2015 at 1:54 AM, Platonides platonides@gmail.com wrote:
On 13/09/15 18:20, Purodha Blissenbach wrote:
The idea is that third parties can publish texts, such as theis statutes, via a open or public wiki, and readers can be sure to read, download, sign, and mail the originals. Another use would be to have pledges and petitions signed by many people. Etc. It is not about WMF-run Wikis.
Purodha
You can already use PGP-armored wikitext if you wanted to (you may want to parse it locally, ensure that it doesn't call unsigned templates, etc. but the option is there).
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Sun, Sep 13, 2015 at 2:39 AM, Purodha Blissenbach < purodha@blissenbach.org> wrote:
Thus, can we develop an extsion which provides cryptographically signed wiki pages?
T12453 https://phabricator.wikimedia.org/T12453 might interest you; it's about encrypting emails but it involves developing some generic low-level tooling for PGP inside MediaWiki.
Editing a signed page is possible without resigning it.
That seems to defeat the whole point, although I might just not understand what the point is.
On 13.09.2015 23:50, Gergo Tisza wrote:
On Sun, Sep 13, 2015 at 2:39 AM, Purodha Blissenbach wrote:
Editing a signed page is possible without resigning it.
That seems to defeat the whole point, although I might just not understand what the point is.
Oh, yes. Rephrasing:
Editing a signed page is possible and yields an unsigned page. This could then be signed afresh, but that is optional.
Purodha
On 9/13/15, Purodha Blissenbach purodha@blissenbach.org wrote:
In a discussion in the German Pirate Party the idea came up that we might want to have cryptographically signed wiki pages. I could not find that this has been implemented already anyhow.
Thus, can we develop an extsion which provides cryptographically signed wiki pages?
A brief and preliminaly scetch would mean that any user who provides a matching public key could sign any existing page. Before a page + signature is saved, the signature is checked for vadility. Editing a siged page is possible without resigning it. There must be a page display allowing to copy+paste the page with signature for external verification. Therre should be a button triggering the verifivation via an external online service. Maybe signature display of signed pages should be suppressable. Any numer of independent signatures must be possible to a page.
Does that make sense? Anything vital forgotten?
Feedback welcome.
Greetings -- Purodha
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Sounds like the sort of use case that would be well-adapted to ContentHandler.
Whether or not this is a good idea depends on what sort of security goals you have in mind.
Some thoughts *Key distribution: Can just anyone sign any page with any key? How do you communicate to the user if the signature is worth anything? Will some association be made between user accounts and public keys? *Intent of signature: You may want to have some way to specify what the intent of the signature is - Is the signer agreeing with the document? agreeing to be bound by the document? asserting that they have reviewed the document for factual accuracy? * "Therre should be a button triggering the verifivation via an external online service" Well probably a good idea, keep in mind - if you don't trust the local server, why would you trust that one of its links go to the legitimate external server, etc.
-- bawolff
Hi,
UploadWizard has a lot of bugs and is sometimes defacto unusable.
See error reports here: https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback
See also reports on phabricator.
It is a huge problem that the UploadWizard is not fixed for years now. Especially during WLM we have a lot of error reports.
Kind regards, Steinsplitter
On 2015-09-14 13:44, Steinsplitter Wiki wrote:
Hi,
UploadWizard has a lot of bugs and is sometimes defacto unusable.
Hi. UploadWizard is maintained by a three-person team, and it's only one of many responsibilities every of us has. Personally I find it perfectly usable.
See also reports on phabricator.
It is a huge problem that the UploadWizard is not fixed for years
now. Especially during WLM we have a lot of error reports.
I actually spend a bit of time working on it in the last two weeks, fixing a number of issues which would result in not being able to finish the upload if something went wrong. We're even boasting about this in the next Tech News: https://meta.wikimedia.org/wiki/Tech/News/2015/39
Can you point to specific issues that are especially problematic for you?
See error reports here: https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback
So I looked at the last ten, findings below. This page would be much more useful if it was tended to by Commons community a bit more.
41 Wiki Loves Monuments 50 FOTOGRAFÍA DEL ESCRITOR CARLOS MIDENCE 51 FOTOGRAFÍA DE CARLOS MIDENCE
These are in Spanish, I think? Apologies, but I do not speak Spanish. I can take bug reports in Polish and English. :)
43 Name des Fotos IMGb2451 45 Fehlschlag 48 Interner Fehler: Der Token ist fehlerhaft.
These are in German. I do not speak German either. Two of them are linked to Phabricator bugs, which is nice, and both of the bugs are resolved.
42 Tomoji NAKAMURA
This just says "I can not up lord." (sic). That is, unfortunately, not a useful bug report.
44 Issue
"Upload Wizard is not working.". Not useful :(
46 to change the title of the file during uploading
This describes https://phabricator.wikimedia.org/T106968 , which is one of the problems I fixed last week.
47 Uploading several files - unique file name?
This is T106968 again, and also https://phabricator.wikimedia.org/T48741 , which I also fixed last week.
49 Chunked upload crash
This is interesting and finally something new. Can you file a but?
It would be useful if the file in question was available for download somewhere, so that we could try to reproduce the issue.
I'm not sure if any of us in Multimedia have the access necessary to try to find out what happened to the failed upload.
Hi, jst a few minues ago, I tried to use the upload wizard of commons. It stalled in the midst of everything and it did not upload anything. Purodha
On 15.09.2015 14:18, Bartosz Dziewoński wrote:
On 2015-09-14 13:44, Steinsplitter Wiki wrote:
Hi,
UploadWizard has a lot of bugs and is sometimes defacto unusable.
Hi. UploadWizard is maintained by a three-person team, and it's only one of many responsibilities every of us has. Personally I find it perfectly usable.
See also reports on phabricator.
It is a huge problem that the UploadWizard is not fixed for years now. Especially during WLM we have a lot of error reports.
I actually spend a bit of time working on it in the last two weeks, fixing a number of issues which would result in not being able to finish the upload if something went wrong. We're even boasting about this in the next Tech News: https://meta.wikimedia.org/wiki/Tech/News/2015/39
Can you point to specific issues that are especially problematic for you?
See error reports here: https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback
So I looked at the last ten, findings below. This page would be much more useful if it was tended to by Commons community a bit more.
41 Wiki Loves Monuments 50 FOTOGRAFÍA DEL ESCRITOR CARLOS MIDENCE 51 FOTOGRAFÍA DE CARLOS MIDENCE
These are in Spanish, I think? Apologies, but I do not speak Spanish. I can take bug reports in Polish and English. :)
43 Name des Fotos IMGb2451 45 Fehlschlag 48 Interner Fehler: Der Token ist fehlerhaft.
These are in German. I do not speak German either. Two of them are linked to Phabricator bugs, which is nice, and both of the bugs are resolved.
42 Tomoji NAKAMURA
This just says "I can not up lord." (sic). That is, unfortunately, not a useful bug report.
44 Issue
"Upload Wizard is not working.". Not useful :(
46 to change the title of the file during uploading
This describes https://phabricator.wikimedia.org/T106968 , which is one of the problems I fixed last week.
47 Uploading several files - unique file name?
This is T106968 again, and also https://phabricator.wikimedia.org/T48741 , which I also fixed last week.
49 Chunked upload crash
This is interesting and finally something new. Can you file a but?
It would be useful if the file in question was available for download somewhere, so that we could try to reproduce the issue.
I'm not sure if any of us in Multimedia have the access necessary to try to find out what happened to the failed upload.
On Tue, Sep 15, 2015 at 02:40:17PM +0200, Purodha Blissenbach wrote:
jst a few minues ago, I tried to use the upload wizard of commons. It stalled in the midst of everything and it did not upload anything.
Purodha,
This is the sort of bug report that we, as people who try to maintain Upload Wizard, can do exactly nothing with.
What file(s) were you using? How long did you wait between opening the page and uploading the file(s)? What license(s) are you uploading them under? What file format are they? What browser were you using? What OS? Do you get any error messages in the browser console? Does any other process on your system seem slow or halted?
These are all basic debugging questions that, frankly, on a technical mailing list I feel I shouldn't need to ask.
Please either reply in private or file a Phabricator task describing your issue in detail.
On Tue, 2015-09-15 at 08:10 -0500, Mark Holmquist wrote:
What file(s) were you using? How long did you wait between opening the page and uploading the file(s)? What license(s) are you uploading them under? What file format are they? What browser were you using? What OS? Do you get any error messages in the browser console? Does any other process on your system seem slow or halted?
Are these questions listed on some UploadWizard wikipage/section? https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback says "To resolve issues, it helps us to have exact steps to reproduce" so I'd love that sentence to link to such "basic" debugging questions.
Does also asking users to add "?debug=true" to the URL and to try again make sense in the context of debugging UploadWizard issues, or not?
andre
On Tue, Sep 15, 2015 at 04:49:49PM +0200, Andre Klapper wrote:
On Tue, 2015-09-15 at 08:10 -0500, Mark Holmquist wrote: Are these questions listed on some UploadWizard wikipage/section? https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback says "To resolve issues, it helps us to have exact steps to reproduce" so I'd love that sentence to link to such "basic" debugging questions.
I don't know if there's a "common questions" link anywhere. I could write it. I guess I just did.
I honestly don't think that page is very useful, it gets a lot of noise and not much signal, which is why I don't usually look at it. We could change the config to point at Phabricator, maybe?
Does also asking users to add "?debug=true" to the URL and to try again make sense in the context of debugging UploadWizard issues, or not?
It usually does, if only to get meaningful error messages and line numbers for a bug report.
On 15 September 2015 at 08:10, Mark Holmquist mtraceur@member.fsf.org wrote:
On Tue, Sep 15, 2015 at 04:49:49PM +0200, Andre Klapper wrote:
On Tue, 2015-09-15 at 08:10 -0500, Mark Holmquist wrote: Are these questions listed on some UploadWizard wikipage/section? https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback says "To resolve issues, it helps us to have exact steps to reproduce" so I'd love that sentence to link to such "basic" debugging questions.
I don't know if there's a "common questions" link anywhere. I could write it. I guess I just did.
I honestly don't think that page is very useful, it gets a lot of noise and not much signal, which is why I don't usually look at it. We could change the config to point at Phabricator, maybe?
Yeah, maybe dropping the feedback tool link from UW might make sense, or at least, turning the target page into a system better suited for tracking things (we use Flow for VE/F which works quite well as we can show which things are resolved).
J.
On 15 September 2015 at 08:26, James Forrester jforrester@wikimedia.org wrote:
On 15 September 2015 at 08:10, Mark Holmquist mtraceur@member.fsf.org wrote:
On Tue, Sep 15, 2015 at 04:49:49PM +0200, Andre Klapper wrote:
On Tue, 2015-09-15 at 08:10 -0500, Mark Holmquist wrote: Are these questions listed on some UploadWizard wikipage/section? https://commons.wikimedia.org/wiki/Commons:Upload_Wizard_feedback says "To resolve issues, it helps us to have exact steps to reproduce" so I'd love that sentence to link to such "basic" debugging questions.
I don't know if there's a "common questions" link anywhere. I could write it. I guess I just did.
I honestly don't think that page is very useful, it gets a lot of noise and not much signal, which is why I don't usually look at it. We could change the config to point at Phabricator, maybe?
Yeah, maybe dropping the feedback tool link from UW might make sense, or at least, turning the target page into a system better suited for tracking things (we use Flow for VE/F which works quite well as we can show which things are resolved).
Follow-up: In chatting with Steinsplitter on IRC, we agreed to replace the link with a Phabricator one for the time being:
https://phabricator.wikimedia.org/T112666
Hopefully this will help ease things!
Yours,
wikitech-l@lists.wikimedia.org